CN113055391A

CN113055391A - Method and device for policy configuration conversion during firewall replacement

Info

Publication number: CN113055391A
Application number: CN202110319748.8A
Authority: CN
Inventors: 王官文
Original assignee: CCB Finetech Co Ltd
Current assignee: CCB Finetech Co Ltd
Priority date: 2021-03-25
Filing date: 2021-03-25
Publication date: 2021-06-29
Anticipated expiration: 2041-03-25
Also published as: CN113055391B

Abstract

The invention discloses a method and a device for policy configuration conversion during firewall replacement, and relates to the technical field of automatic program design. One embodiment of the method comprises: generating a first parameter table according to a first configuration file of a source firewall; processing the first parameter table according to the type of the destination firewall to obtain a second configuration file of the destination firewall, wherein the first configuration file cannot be identified by the destination firewall and the second configuration file cannot be identified by the source firewall; generating a second parameter table according to the second configuration file; and comparing the first parameter table with the second parameter table, and after the comparison is passed, performing policy configuration replacement. The implementation mode can ensure the consistency of the strategy configuration before and after the firewall replacement, greatly reduce the time and labor cost required by the strategy configuration conversion during the firewall replacement, and solve the consistency, effectiveness, timeliness and universality of the configuration before and after the firewall replacement from the technical aspect.

Description

Method and device for policy configuration conversion during firewall replacement

Technical Field

The invention relates to the technical field of automatic program design, in particular to a method and a device for policy configuration conversion during firewall replacement.

Background

In a bank data center, a hardware firewall is always a device of a foreign manufacturer in the prior art, and along with the higher and higher security requirements in recent years, the requirement for the localization of the firewall is more and more urgent, so that great opportunities are brought to the national firewall manufacturers, and higher requirements are brought to network operation and maintenance personnel.

The general firewall replacement process comprises the processes of putting on shelf after new equipment arrives, powering on, wiring, switching the security policy configuration from an old firewall to a new firewall, switching the flow to be on-line and the like. The time of the strategy configuration conversion link accounts for most of the time.

At present, when strategy configuration conversion is carried out, strategy configuration is manually converted line by line mainly by operation and maintenance personnel or a manufacturer assistance mode, whether the converted configuration is consistent with the original configuration or not needs manual repeated inspection, the efficiency is low, and errors are easy to occur in manual conversion. In addition, time cannot be guaranteed, if the period is replaced by the firewall of another manufacturer, because the technology and experience cannot be transmitted, conversion strategy configuration needs to be executed again, and the firewall replacement progress is seriously influenced.

Disclosure of Invention

In view of this, embodiments of the present invention provide a method and an apparatus for policy configuration conversion during firewall replacement, which can ensure consistency of policy configuration before and after firewall replacement, greatly reduce time and labor cost required for policy configuration conversion during firewall replacement, and solve consistency, effectiveness, timeliness, and universality of configuration before and after firewall replacement from a technical aspect.

To achieve the above object, according to an aspect of the embodiments of the present invention, a method for policy configuration conversion during firewall replacement is provided.

A method for policy configuration conversion during firewall replacement comprises the following steps: generating a first parameter table according to a first configuration file of a source firewall; processing the first parameter table according to the type of a destination firewall to obtain a second configuration file of the destination firewall, wherein the first configuration file cannot be identified by the destination firewall and the second configuration file cannot be identified by the source firewall; generating a second parameter table according to the second configuration file; and comparing the first parameter table with the second parameter table, and after the comparison is passed, performing policy configuration replacement.

Optionally, the first parameter table and the second parameter table have a unified data structure, and include the following data items: the system comprises a transmission protocol, a device name, a strategy identifier, a source IP address, a source service port, a source area, a source NAT type, a source NAT address, a source physical interface, a destination IP address, a destination service port, a destination area, a destination NAT type, a destination NAT address, a destination physical interface, an application layer proxy gateway, a strategy identifier, a strategy action, a strategy state, whether a strategy is recorded in a log or not, a strategy effective time period and description information of the strategy.

Optionally, the generating the first parameter table according to the first configuration file of the source firewall includes: reading a first configuration file of the source firewall, and acquiring the type of the source firewall according to the first configuration file; and converting the first configuration file into a first parameter table by executing a policy configuration conversion program corresponding to the type of the source firewall.

Optionally, converting the first configuration file into a first parameter table comprises: extracting a device name from the first configuration file; extracting security policy element information from the first configuration file, and converting the security policy element information to obtain a policy identifier, a source firewall configuration parameter, a destination firewall configuration parameter and a port policy configuration parameter; generating a first parameter table according to the equipment name, the strategy identification, the source firewall configuration parameter, the destination firewall configuration parameter and the port strategy configuration parameter; wherein the source firewall configuration parameters include: a source region, a source IP address, a source NAT type, a source NAT address and a source physical interface; the target firewall configuration parameters include: a destination area, a destination IP address, a destination NAT type, a destination NAT address and a destination physical interface; the port policy configuration parameters include: the system comprises a source service port, a destination service port, an application layer proxy gateway, a policy action, a policy state, whether a policy records a log or not, a policy effective time period and description information of the policy.

Optionally, the converting the security policy element information to obtain the source firewall configuration parameter includes: acquiring a source IP address from the security policy element information, and judging whether the source IP address has NAT mapping or not; if so, converting the source NAT type and the source NAT address in the security policy element information, and associating a source physical interface; then, converting the source IP address in the security policy element information and associating the source IP address with the source area; otherwise, directly converting the source IP address in the security policy element information and associating the source IP address with the source area; and taking the source area, the source IP address, the source NAT type, the source NAT address and the source physical interface as source firewall configuration parameters.

Optionally, the converting the security policy element information to obtain the destination firewall configuration parameter includes: acquiring a destination IP address from the security policy element information, and judging whether the destination IP address has NAT mapping or not; if yes, converting the destination NAT type and the destination NAT address in the security policy element information, and associating a destination physical interface; then, converting the destination IP address in the security policy element information and associating a destination area; otherwise, directly converting the destination IP address in the security policy element information and associating the destination IP address with a destination area; and the target area, the target IP address, the target NAT type, the target NAT address and the target physical interface are used as target firewall configuration parameters.

Optionally, the converting the security policy element information to obtain the port policy configuration parameter includes: acquiring relevant information of a service port from the security policy element information, and judging whether the connection mode of the service port is long connection; if yes, processing the long connection, and outputting a source service port, a destination service port and an application layer proxy gateway; otherwise, directly outputting the source service port, the destination service port and the application layer proxy gateway; converting the policy action, the policy state, whether the policy records a log or not, the policy effective time period and the policy description information in the security policy element information; and taking the output source service port, the output target service port, the output application layer proxy gateway, the converted strategy action, the strategy state, whether the strategy records a log or not, the strategy effective time period and the strategy description information as the port strategy configuration parameters.

Optionally, the processing the first parameter table according to the type of the destination firewall to obtain the second configuration file of the destination firewall includes: acquiring a strategy configuration conversion program corresponding to the type of a target firewall according to the type of the target firewall; and converting the first parameter table into a second configuration file by executing a policy configuration conversion program corresponding to the type of the target firewall.

Optionally, converting the first parameter table into a second configuration file comprises: extracting a device name from the first parameter table; extracting security policy element information from the first parameter table, and converting the security policy element information to obtain a policy identifier, a source firewall configuration parameter, a destination firewall configuration parameter and a port policy configuration parameter; generating a second configuration file according to the equipment name, the strategy identification, the source firewall configuration parameter, the destination firewall configuration parameter and the port strategy configuration parameter; wherein the source firewall configuration parameters include: a source region, a source IP address, a source NAT type, a source NAT address and a source physical interface; the target firewall configuration parameters include: a destination area, a destination IP address, a destination NAT type, a destination NAT address and a destination physical interface; the port policy configuration parameters include: the system comprises a source service port, a destination service port, an application layer proxy gateway, a policy action, a policy state, whether a policy records a log or not, a policy effective time period and description information of the policy.

Optionally, generating a second configuration file according to the device name, the policy identifier, the source firewall configuration parameter, the destination firewall configuration parameter, and the port policy configuration parameter includes: generating a command line script for generating a second configuration file by executing a policy configuration conversion program corresponding to the type of the destination firewall according to the equipment name, the policy identifier, the source firewall configuration parameter, the destination firewall configuration parameter and the port policy configuration parameter; executing the command line script to generate a second configuration file.

Optionally, the comparing the first parameter table and the second parameter table includes: and comparing the first parameter table with the second parameter table row by row and column by column.

Optionally, if the comparison result is that the first parameter table and the second parameter table are the same, the comparison is passed, otherwise, the comparison is not passed; and after the comparison, outputting a comparison result.

Optionally, the policy configuration conversion program is implemented based on the Groovy language.

According to another aspect of the embodiments of the present invention, an apparatus for policy configuration conversion during firewall replacement is provided.

An apparatus for policy configuration conversion upon firewall change, comprising: the first parameter table generating module is used for generating a first parameter table according to a first configuration file of the source firewall; the configuration file generation module is used for processing the first parameter table according to the type of a destination firewall to obtain a second configuration file of the destination firewall, wherein the first configuration file cannot be identified by the destination firewall and the second configuration file cannot be identified by the source firewall; the second parameter table generating module generates a second parameter table according to the second configuration file; and the parameter table comparison module is used for comparing the first parameter table with the second parameter table and carrying out strategy configuration replacement after the comparison is passed.

Optionally, the first parameter table generating module is further configured to: reading a first configuration file of the source firewall, and acquiring the type of the source firewall according to the first configuration file; and converting the first configuration file into a first parameter table by executing a policy configuration conversion program corresponding to the type of the source firewall.

Optionally, when the first parameter table generating module converts the first configuration file into the first parameter table, the first parameter table generating module is further configured to: extracting a device name from the first configuration file; extracting security policy element information from the first configuration file, and converting the security policy element information to obtain a policy identifier, a source firewall configuration parameter, a destination firewall configuration parameter and a port policy configuration parameter; generating a first parameter table according to the equipment name, the strategy identification, the source firewall configuration parameter, the destination firewall configuration parameter and the port strategy configuration parameter; wherein the source firewall configuration parameters include: a source region, a source IP address, a source NAT type, a source NAT address and a source physical interface; the target firewall configuration parameters include: a destination area, a destination IP address, a destination NAT type, a destination NAT address and a destination physical interface; the port policy configuration parameters include: the system comprises a source service port, a destination service port, an application layer proxy gateway, a policy action, a policy state, whether a policy records a log or not, a policy effective time period and description information of the policy.

Optionally, when the first parameter table generating module converts the first configuration file into the first parameter table, the first parameter table generating module is further configured to: acquiring a source IP address from the security policy element information, and judging whether the source IP address has NAT mapping or not; if so, converting the source NAT type and the source NAT address in the security policy element information, and associating a source physical interface; then, converting the source IP address in the security policy element information and associating the source IP address with the source area; otherwise, directly converting the source IP address in the security policy element information and associating the source IP address with the source area; and taking the source area, the source IP address, the source NAT type, the source NAT address and the source physical interface as source firewall configuration parameters.

Optionally, when the first parameter table generating module converts the first configuration file into the first parameter table, the first parameter table generating module is further configured to: acquiring a destination IP address from the security policy element information, and judging whether the destination IP address has NAT mapping or not; if yes, converting the destination NAT type and the destination NAT address in the security policy element information, and associating a destination physical interface; then, converting the destination IP address in the security policy element information and associating a destination area; otherwise, directly converting the destination IP address in the security policy element information and associating the destination IP address with a destination area; and the target area, the target IP address, the target NAT type, the target NAT address and the target physical interface are used as target firewall configuration parameters.

Optionally, when the first parameter table generating module converts the first configuration file into the first parameter table, the first parameter table generating module is further configured to: acquiring relevant information of a service port from the security policy element information, and judging whether the connection mode of the service port is long connection; if yes, processing the long connection, and outputting a source service port, a destination service port and an application layer proxy gateway; otherwise, directly outputting the source service port, the destination service port and the application layer proxy gateway; converting the policy action, the policy state, whether the policy records a log or not, the policy effective time period and the policy description information in the security policy element information; and taking the output source service port, the output target service port, the output application layer proxy gateway, the converted strategy action, the strategy state, whether the strategy records a log or not, the strategy effective time period and the strategy description information as the port strategy configuration parameters.

Optionally, the configuration file generating module is further configured to: acquiring a strategy configuration conversion program corresponding to the type of a target firewall according to the type of the target firewall; and converting the first parameter table into a second configuration file by executing a policy configuration conversion program corresponding to the type of the target firewall.

Optionally, the configuration file generating module, when converting the first parameter table into the second configuration file, is further configured to: extracting a device name from the first parameter table; extracting security policy element information from the first parameter table, and converting the security policy element information to obtain a policy identifier, a source firewall configuration parameter, a destination firewall configuration parameter and a port policy configuration parameter; generating a second configuration file according to the equipment name, the strategy identification, the source firewall configuration parameter, the destination firewall configuration parameter and the port strategy configuration parameter; wherein the source firewall configuration parameters include: a source region, a source IP address, a source NAT type, a source NAT address and a source physical interface; the target firewall configuration parameters include: a destination area, a destination IP address, a destination NAT type, a destination NAT address and a destination physical interface; the port policy configuration parameters include: the system comprises a source service port, a destination service port, an application layer proxy gateway, a policy action, a policy state, whether a policy records a log or not, a policy effective time period and description information of the policy.

Optionally, the configuration file generating module, when converting the first parameter table into the second configuration file, is further configured to: generating a command line script for generating a second configuration file by executing a policy configuration conversion program corresponding to the type of the destination firewall according to the equipment name, the policy identifier, the source firewall configuration parameter, the destination firewall configuration parameter and the port policy configuration parameter; executing the command line script to generate a second configuration file.

Optionally, the configuration file generating module, when converting the first parameter table into the second configuration file, is further configured to: acquiring a source IP address from the security policy element information, and judging whether the source IP address has NAT mapping or not; if so, converting the source NAT type and the source NAT address in the security policy element information, and associating a source physical interface; then, converting the source IP address in the security policy element information and associating the source IP address with the source area; otherwise, directly converting the source IP address in the security policy element information and associating the source IP address with the source area; and taking the source area, the source IP address, the source NAT type, the source NAT address and the source physical interface as source firewall configuration parameters.

Optionally, the configuration file generating module, when converting the first parameter table into the second configuration file, is further configured to: acquiring a destination IP address from the security policy element information, and judging whether the destination IP address has NAT mapping or not; if yes, converting the destination NAT type and the destination NAT address in the security policy element information, and associating a destination physical interface; then, converting the destination IP address in the security policy element information and associating a destination area; otherwise, directly converting the destination IP address in the security policy element information and associating the destination IP address with a destination area; and the target area, the target IP address, the target NAT type, the target NAT address and the target physical interface are used as target firewall configuration parameters.

Optionally, the configuration file generating module, when converting the first parameter table into the second configuration file, is further configured to: acquiring relevant information of a service port from the security policy element information, and judging whether the connection mode of the service port is long connection; if yes, processing the long connection, and outputting a source service port, a destination service port and an application layer proxy gateway; otherwise, directly outputting the source service port, the destination service port and the application layer proxy gateway; converting the policy action, the policy state, whether the policy records a log or not, the policy effective time period and the policy description information in the security policy element information; and taking the output source service port, the output target service port, the output application layer proxy gateway, the converted strategy action, the strategy state, whether the strategy records a log or not, the strategy effective time period and the strategy description information as the port strategy configuration parameters.

Optionally, the parameter table comparing module is further configured to: and comparing the first parameter table with the second parameter table row by row and column by column.

According to another aspect of the embodiment of the invention, an electronic device for policy configuration conversion during firewall replacement is provided.

An electronic device for policy configuration conversion upon firewall replacement, comprising: one or more processors; and the storage device is used for storing one or more programs, and when the one or more programs are executed by the one or more processors, the one or more processors realize the method for switching the policy configuration during the firewall replacement provided by the embodiment of the invention.

According to yet another aspect of embodiments of the present invention, a computer-readable medium is provided.

A computer readable medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the method for policy configuration conversion at firewall replacement provided by an embodiment of the present invention.

One embodiment of the above invention has the following advantages or benefits: generating a first parameter table according to a first configuration file of a source firewall; processing the first parameter table according to the type of the destination firewall to obtain a second configuration file of the destination firewall, wherein the first configuration file cannot be identified by the destination firewall and the second configuration file cannot be identified by the source firewall; generating a second parameter table according to the second configuration file; the technical scheme that the first parameter table and the second parameter table are compared, and strategy configuration replacement is carried out after comparison is passed, so that the security strategy configuration file of a source firewall is automatically read and converted into the parameter tables of all manufacturers, and then the parameter tables are automatically converted into the security strategy configuration file of a target firewall, the efficiency and the accuracy of strategy configuration conversion are greatly improved, and the technical problems of high manual conversion error, long conversion time and low efficiency in actual work are solved. Meanwhile, bidirectional configuration conversion between the configuration file and the parameter table is supported, and contents of each row and each column of the parameter table are compared item by item, so that whether the strategy configuration before and after conversion is consistent or not is verified quickly, the problems of high manual conversion error, high requirement on skills of operation and maintenance personnel and the like are solved effectively, and the consistency, effectiveness, timeliness and universality of the configuration before and after firewall replacement are solved from the technical level.

Further effects of the above-mentioned non-conventional alternatives will be described below in connection with the embodiments.

Drawings

The drawings are included to provide a better understanding of the invention and are not to be construed as unduly limiting the invention. Wherein:

FIG. 1 is a schematic diagram illustrating the main steps of a method for policy configuration conversion during firewall replacement according to an embodiment of the present invention;

FIG. 2 is a diagram illustrating an implementation of generating a parameter table from a configuration file according to an embodiment of the present invention;

FIG. 3 is a diagram illustrating an implementation of generating a configuration file from a parameter table according to an embodiment of the present invention;

FIG. 4 is a diagram illustrating a parameter table alignment process according to an embodiment of the present invention;

FIG. 5 is a schematic diagram of the main modules of an apparatus for policy configuration conversion during firewall replacement according to an embodiment of the present invention;

FIG. 6 is an exemplary system architecture diagram in which embodiments of the present invention may be employed;

fig. 7 is a schematic block diagram of a computer system suitable for use in implementing a terminal device or server of an embodiment of the invention.

Detailed Description

Exemplary embodiments of the present invention are described below with reference to the accompanying drawings, in which various details of embodiments of the invention are included to assist understanding, and which are to be considered as merely exemplary. Accordingly, those of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the invention. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.

In the introduction of the embodiments of the invention, the technical terms appearing and their meanings are as follows:

groovy: is an object-oriented programming language and can also be used as a pure scripting language;

NAT: network Address Translation, Network Address Translation;

ALG: an Application Layer Gateway proxy Gateway;

a quintuple: communication terminology, each firewall security policy contains a five-tuple consisting of a source IP address, a destination IP address, a source service port, a destination service port and a transmission protocol;

unified parameter table: the invention provides a parameter table capable of uniformly describing the security policy of each firewall manufacturer.

In the prior art, the conversion operation of the strategy configuration during the firewall replacement is mostly manual conversion, the conversion error is high, the conversion time is long, the technical requirement on operation and maintenance personnel is high, the configuration file needs to be translated from beginning to end manually, a large amount of manual processing and inspection are needed subsequently, and the actual requirement cannot be met. In a small part of cases, some third-party tools or firewall manufacturer tools divide the configuration conversion translation process into four parts, namely an address, a service, an NAT and a security policy, but the four parts are separated and scattered parts, and after the translation is finished, the tools are mainly required to manually check whether the policy conversion is consistent or not and whether the policy conversion is wrong or not repeatedly for many times except that the format cannot completely meet the actual configuration specification and requirements. Because the schemes are mainly based on quintuple translation, the interrelation of the security policy and the NAT policy, and the relationship of the physical interface and the region are discrete, it cannot be guaranteed that the referenced NAT policy is the NAT policy which is actually used when the policy takes effect. For example, a Netscreen or SRX system firewall of a foreign Juniper manufacturer has a rule that one-to-one NAT mapping is most effective first, and after the mapping is converted into a domestic mountain and stone firewall, part of versions of the mountain and stone firewall do not have a one-to-one mapping concept, but can be converted into SNAT and DNAT rules, and the rules only take effect simply from top to bottom, although there appears to be a security policy of NAT, it cannot be guaranteed that the security policies before and after the conversion are effective. And each manufacturer tool only supports the conversion of partial other manufacturer security policy configurations into the own manufacturer policy, and cannot convert the issued new configuration back to back so as to compare and verify whether the policy configurations before and after conversion are consistent or not, and cannot adapt to the rapid change of the requirements.

In order to solve the technical problems in the prior art, the invention provides a method for policy configuration conversion during firewall replacement, which is characterized in that a configuration file is converted into a parameter table with a unified structure, and the traditional quintuple is replaced by the unified parameter table capable of unifying the security policies of various manufacturers to describe the security policies, so that the problems that the consistency before and after the security configuration conversion cannot be ensured and a large amount of manual verification is required due to independence and disassociation among elements can be solved. The configuration conversion can be automatically completed only by inputting the configuration file to be converted into a computer for execution, and the configuration conversion from the firewall of the manufacturer A to the firewall of the manufacturer B and from the firewall of the manufacturer B to the firewall of the manufacturer A are supported, so that the problems of high manual conversion error, long conversion time, unstable conversion time, high skill requirement on operation and maintenance personnel and the like can be effectively solved, and the problems that a third party tool or an operation and maintenance tool of the manufacturer cannot be output according to a required format, and the configuration consistency before and after conversion, the configuration consistency before and the configuration consistency between the operation and the maintenance personnel and the universality between the manufacturers cannot be ensured can be solved.

Fig. 1 is a schematic diagram illustrating main steps of a method for policy configuration conversion during firewall replacement according to an embodiment of the present invention. As shown in fig. 1, the method for policy configuration conversion during firewall replacement according to the embodiment of the present invention mainly includes the following steps S101 to S104.

Step S101: generating a first parameter table according to a first configuration file of a source firewall;

step S102: processing the first parameter table according to the type of the destination firewall to obtain a second configuration file of the destination firewall, wherein the first configuration file cannot be identified by the destination firewall and the second configuration file cannot be identified by the source firewall;

step S103: generating a second parameter table according to the second configuration file;

step S104: and comparing the first parameter table with the second parameter table, and after the comparison is passed, performing policy configuration replacement.

According to the steps S101 to S104, the configuration file can be verified through the mutual conversion between the configuration file of the firewall and the parameter table based on the parameter table, the consistency and the effectiveness of the configuration before and after the conversion and the universality among manufacturers are ensured, and the labor and time cost is saved.

According to an embodiment of the present invention, the first parameter table and the second parameter table have a unified data structure, and include the following data items: the system comprises a transmission protocol, a device name, a strategy identifier, a source IP address, a source service port, a source area, a source NAT type, a source NAT address, a source physical interface, a destination IP address, a destination service port, a destination area, a destination NAT type, a destination NAT address, a destination physical interface, an application layer proxy gateway, a strategy identifier, a strategy action, a strategy state, whether a strategy is recorded in a log or not, a strategy effective time period and description information of the strategy. In the specific implementation process, if some data items cannot be obtained or do not need to be obtained, the value of the corresponding data item is assigned to be a null value.

According to an embodiment of the present invention, in step S101, when generating the first parameter table according to the first configuration file of the source firewall, the method may specifically include the following steps:

reading a first configuration file of a source firewall, and acquiring the type of the source firewall according to the first configuration file;

the first configuration file is converted into a first parameter table by executing a policy configuration conversion program corresponding to the type of the source firewall.

In the specific implementation process, the type of the firewall is, for example, manufacturer information corresponding to the firewall, or an implementation script language of a configuration file corresponding to the firewall, and the like. By acquiring the type of the firewall, a prestored strategy configuration conversion program corresponding to the type can be searched, and the first configuration file is converted into the first parameter table by executing the strategy configuration conversion program. In an embodiment of the present invention, the policy configuration transformation program is implemented based on, for example, a Groovy language, which is an object-oriented programming language, and can also be used as a pure scripting language, and can be used to read various text files such as txt, excle, csv, and can process script files conveniently. The policy configuration conversion program can convert the configuration file into the parameter table, and also can convert the parameter table into the configuration file, and when the policy configuration conversion program is implemented, whether the logic code for converting the configuration file into the parameter table is to be executed or the logic code for converting the parameter table into the configuration file is to be executed can be determined according to the form of input data of the policy configuration conversion program.

In an embodiment of the present invention, converting the first configuration file into the first parameter table specifically includes the following operations:

extracting a device name from the first configuration file;

extracting security policy element information from the first configuration file, and converting the security policy element information to obtain a policy identifier, a source firewall configuration parameter, a destination firewall configuration parameter and a port policy configuration parameter;

generating a first parameter table according to the equipment name, the strategy identification, the source firewall configuration parameter, the target firewall configuration parameter and the port strategy configuration parameter;

wherein, the source firewall configuration parameters include: a source region, a source IP address, a source NAT type, a source NAT address and a source physical interface;

the target firewall configuration parameters include: a destination area, a destination IP address, a destination NAT type, a destination NAT address and a destination physical interface;

the port policy configuration parameters include: the system comprises a source service port, a destination service port, an application layer proxy gateway, a policy action, a policy state, whether a policy records a log or not, a policy effective time period and description information of the policy.

How the first configuration file is converted into the first parameter table according to the embodiment of the present invention is described below with reference to fig. 2. Fig. 2 is a schematic diagram of an implementation process of generating a parameter table from a configuration file according to an embodiment of the present invention. As shown in fig. 2, in this embodiment, the type of the firewall is described by taking a manufacturer corresponding to the firewall as an example. First, a first configuration file (for example, a text file in txt format) of a source firewall of a vendor a is read, and a type of the source firewall is determined according to contents of the first configuration file, that is: manufacturer A; then, the first configuration file is converted into the first parameter table by executing a policy configuration conversion program corresponding to the manufacturer A, wherein the policy configuration conversion program is converted from the configuration file into the parameter table, and analyzing, processing and outputting each item in the first parameter table. In this embodiment, the first parameter table is, for example, a csv formatted file for vendor A's source firewall.

Specifically, when the first configuration file is converted into the first parameter table, the following parts may be included:

1. extracting a device name from the first configuration file;

2. and extracting the security policy element information from the first configuration file, and converting the security policy element information to obtain a policy identifier. The policy identifier is, for example, an identifier code that can uniquely identify the policy, such as a policy name;

3. the security policy element information is converted to obtain the source firewall configuration parameters:

and acquiring a source IP address from the security policy element information, and judging whether the source IP address has NAT mapping. Here, the source IP address may be a single address or a plurality of addresses;

if so, the source NAT type and the source NAT address in the security policy element information are converted, and a source physical interface is associated; and then, converting the source IP address in the security policy element information and associating the source IP address with the source area. Wherein, the source NAT type refers to one-to-one NAT, many-to-one NAT or many-to-many NAT; the source NAT address may be a single address or multiple addresses;

otherwise, directly converting the source IP address in the security policy element information and associating the source area;

taking a source area, a source IP address, a source NAT type, a source NAT address and a source physical interface as source firewall configuration parameters;

4. converting the security policy element information to obtain a target firewall configuration parameter:

acquiring a target IP address from the security policy element information, and judging whether the target IP address has NAT mapping or not;

if yes, converting the destination NAT type and the destination NAT address in the security policy element information, and associating a destination physical interface; and then, converting the destination IP address in the security policy element information and associating the destination area. The destination NAT type refers to one-to-one NAT or policy-based mapping, and the like;

otherwise, directly converting the destination IP address in the security policy element information and associating the destination IP address with the destination area;

taking a target area, a target IP address, a target NAT type, a target NAT address and a target physical interface as target firewall configuration parameters;

5. converting the security policy element information to obtain port policy configuration parameters:

acquiring relevant information of a service port from the security policy element information, and judging whether the connection mode of the service port is long connection;

if yes, processing the long connection, and outputting a source service port, a destination service port and an application layer proxy gateway;

otherwise, directly outputting the source service port, the destination service port and the application layer proxy gateway;

converting policy action, policy state, whether the policy records a log or not, a policy effective time period and policy description information in the security policy element information; the policy state refers to whether the policy is enabled or disabled, the policy action refers to whether the policy action is allowed or rejected, and the policy effective time period is used for expressing whether the policy is effective for a long time or limiting the effective time period;

and taking the output source service port, the output target service port, the output application layer proxy gateway, the converted strategy action, the strategy state, whether the strategy records a log or not, the strategy effective time period and the strategy description information as the port strategy configuration parameters. In addition, port strategy configuration parameters related to the service protocol type, the service timeout duration and the like can be acquired from the service port related information;

6. and generating a first parameter table according to the equipment name, the strategy identification, the source firewall configuration parameter, the destination firewall configuration parameter and the port strategy configuration parameter obtained in the 5 steps.

According to the embodiment of the present invention, in step S102, when the first parameter table is processed according to the type of the destination firewall to obtain the second configuration file of the destination firewall, the method may specifically include the following steps:

acquiring a strategy configuration conversion program corresponding to the type of the target firewall according to the type of the target firewall;

and converting the first parameter table into a second configuration file by executing a policy configuration conversion program corresponding to the type of the destination firewall.

In the specific implementation process, the type of the firewall is, for example, manufacturer information corresponding to the firewall, or an implementation script language of a configuration file corresponding to the firewall, and the like. By obtaining the type of the firewall, the pre-stored strategy configuration conversion program corresponding to the type can be searched, and the strategy configuration conversion program is executed to convert the first parameter table of the source firewall into the second configuration file of the target firewall. In an embodiment of the present invention, the policy configuration transformation program is implemented based on, for example, a Groovy language, which is an object-oriented programming language, and can also be used as a pure scripting language, and can be used to read various text files such as txt, excle, csv, and can process script files conveniently. The policy configuration conversion program can convert the configuration file into the parameter table, and also can convert the parameter table into the configuration file, and when the policy configuration conversion program is implemented, whether the logic code for converting the configuration file into the parameter table is to be executed or the logic code for converting the parameter table into the configuration file is to be executed can be determined according to the form of input data of the policy configuration conversion program.

In the embodiment of the present invention, when the first parameter table is converted into the second configuration file, the following operation contents are specifically included:

extracting the device name from the first parameter table;

extracting security policy element information from the first parameter table, and converting the security policy element information to obtain a policy identifier, a source firewall configuration parameter, a destination firewall configuration parameter and a port policy configuration parameter;

generating a second configuration file according to the equipment name, the strategy identification, the source firewall configuration parameter, the target firewall configuration parameter and the port strategy configuration parameter;

According to an embodiment of the present invention, when generating the second configuration file according to the device name, the policy identifier, the source firewall configuration parameter, the destination firewall configuration parameter, and the port policy configuration parameter, the method may specifically include:

generating a command line script for generating a second configuration file by executing a policy configuration conversion program corresponding to the type of the destination firewall according to the equipment name, the policy identifier, the source firewall configuration parameter, the destination firewall configuration parameter and the port policy configuration parameter;

the command line script is executed to generate a second configuration file.

How the first parameter table is converted into the second configuration file according to the embodiment of the present invention is described below with reference to fig. 3. Fig. 3 is a schematic diagram of an implementation process of generating a configuration file from a parameter table according to an embodiment of the present invention. As shown in fig. 3, in this embodiment, the type of the firewall is described by taking a manufacturer corresponding to the firewall as an example. First, a first parameter table (for example, a file in the csv format) of a source firewall of vendor a is read, and the type of a destination firewall is obtained, that is: manufacturer B; then, by executing the policy configuration conversion program corresponding to the vendor B, which is converted from the parameter table into the configuration file, the first parameter table is processed and each item of content in the second configuration file corresponding to the destination firewall is output, so as to convert the first parameter table into the second configuration file. In this embodiment, the second configuration file is, for example, a txt format file of the destination firewall of vendor B.

According to the technical scheme of the embodiment, when the first parameter table is processed and each content in the second configuration file corresponding to the target firewall is output so as to convert the first parameter table into the second configuration file, the first parameter table can be processed firstly to obtain each content in the second configuration file corresponding to the target firewall, then the contents are issued to the command line script of the new device, and the second configuration file is generated by executing the command line script.

As shown in fig. 3, when converting the first parameter table into the second configuration file, the following parts may be specifically included:

1. extracting the device name from the first parameter table;

2. and extracting the security policy element information from the first parameter table, and converting the security policy element information to obtain a policy identifier. The policy identifier is, for example, an identifier code that can uniquely identify the policy, such as a policy name;

3. and converting the security policy element information to obtain source firewall configuration parameters, and generating corresponding scripts according to the parameters. Specifically, the source firewall configuration parameters are obtained by:

4. and converting the security policy element information to obtain target firewall configuration parameters, and generating corresponding scripts according to the parameters. Specifically, the destination firewall configuration parameter is obtained by:

5. the port policy configuration parameters are obtained by converting the security policy element information, and corresponding scripts are generated according to the parameters. The method specifically comprises the following steps:

if yes, processing the long connection, and outputting a source service port, a destination service port and an application layer proxy gateway; then generating a corresponding script according to the source service port, the destination service port and the application layer proxy gateway;

otherwise, directly outputting the source service port, the destination service port and the application layer proxy gateway; then generating a corresponding script according to the source service port, the destination service port and the application layer proxy gateway;

converting policy action, policy state, whether the policy records a log or not, a policy effective time period and policy description information in the security policy element information; then, a corresponding script is generated according to the parameters. The policy state refers to whether the policy is enabled or disabled, the policy action refers to whether the policy action is allowed or rejected, and the policy effective time period is used for expressing whether the policy is effective for a long time or limiting the effective time period;

6. and generating a second configuration file after executing the script generated according to the device name, the strategy identification, the source firewall configuration parameter, the destination firewall configuration parameter and the port strategy configuration parameter which are obtained in the 5 steps and the script generated according to the parameters.

According to the embodiment of the present invention, the process of generating the second parameter table according to the second configuration file in step S103 is similar to the process of generating the first parameter table according to the first configuration file of the source firewall in step S101, except that the policy configuration conversion program used in step S103 is the policy configuration conversion program corresponding to the type of the destination firewall. For a detailed implementation process, refer to fig. 2, which is not described herein again.

Finally, step S104 checks whether the generated second configuration file of the destination firewall is correct by comparing the first parameter table with the second parameter table, and ensures consistency of policy configuration before and after replacement. According to an embodiment of the present invention, when the first parameter table and the second parameter table are aligned, the alignment may be performed row by row. If the comparison result is that the first parameter table and the second parameter table are the same, the comparison is passed, otherwise, the comparison is not passed. The first parameter table and the second parameter table are the same, which means that the comparison results of each row and each column are the same. And after the comparison, outputting a comparison result, wherein the comparison result comprises the same rows and columns and different rows and columns. If there are different rows and columns, the second configuration file indicating the destination firewall to be generated is incorrect, and improvement is still needed. The method provided by the invention is used for verifying the conversion result of the strategy configuration during firewall replacement, and is quicker and more accurate than manual execution.

FIG. 4 is a diagram illustrating a parameter table alignment process according to an embodiment of the present invention. As shown in fig. 4, first, a first parameter table and a second parameter table are obtained, then, the first parameter table and the second parameter table are compared row by row and column by column, and whether the two parameter tables are the same is judged according to the comparison result; if yes, outputting a final result and the same item; otherwise, the final result and the different terms are output.

According to the technical scheme of the invention, the convenience of processing the script file by utilizing the Groovy language is utilized, the security policy configuration file of the source firewall is automatically read and converted into the unified parameter table capable of unifying all manufacturers, and then the security policy configuration file of the target firewall is automatically converted into the unified parameter table, so that the efficiency and the accuracy of policy configuration conversion are greatly improved, and the technical problems of high manual conversion error, long conversion time and low efficiency in actual work are solved. Meanwhile, after the generated security policy configuration file of the target firewall is issued to the tested or replaced new device, the security policy configuration file of the target firewall installed on the new device can be analyzed and converted into the unified parameter table by the computer by using the method. Because the format of the parameter table is fixed, the contents of each row and each column of the parameter table are compared item by item through the Groovy program, and whether the strategy configuration before and after conversion is consistent can be quickly verified.

The invention provides a unified parameter table capable of unifying safety policies of various manufacturers, which replaces the traditional quintuple to describe the safety policies, not only can support the conversion of the configuration of addresses, services and policies realized by the existing manufacturers or third-party tools, but also supports more items than the elements, such as source NAT types, source NAT addresses, target NAT types, target NAT addresses, effective time periods, source physical interfaces, target physical interfaces and the like, and the converted items are not dispersed, are completely embodied and associated in each safety policy through the unified parameter table, and support bidirectional configuration conversion, thereby effectively solving the problems of high error of manual conversion, long conversion time, unstable conversion time, high requirement on skills of operation and maintenance personnel and the like. The configuration process of manually converting the firewall into the configuration process of days, weeks and months by operation and maintenance personnel or firewall manufacturer personnel is simplified into the configuration process which can be completed by common operation and maintenance personnel within minutes through a computer, and the consistency, effectiveness, timeliness and universality of the configuration before and after the firewall replacement are solved on the technical level.

Fig. 5 is a schematic diagram of main blocks of an apparatus for policy configuration conversion during firewall replacement according to an embodiment of the present invention. As shown in fig. 5, the apparatus 500 for policy configuration conversion during firewall replacement according to the embodiment of the present invention mainly includes a first parameter table generating module 501, a configuration file generating module 502, a second parameter table generating module 503, and a parameter table comparing module 504.

A first parameter table generating module 501, configured to generate a first parameter table according to a first configuration file of a source firewall;

a configuration file generating module 502, configured to process the first parameter table according to a type of a destination firewall to obtain a second configuration file of the destination firewall, where the first configuration file cannot be identified by the destination firewall and the second configuration file cannot be identified by the source firewall;

a second parameter table generating module 503, configured to generate a second parameter table according to the second configuration file;

a parameter table comparison module 504, configured to compare the first parameter table with the second parameter table, and perform policy configuration replacement after the comparison is passed.

According to an embodiment of the present invention, the first parameter table and the second parameter table have a unified data structure, and include the following data items: the system comprises a transmission protocol, a device name, a strategy identifier, a source IP address, a source service port, a source area, a source NAT type, a source NAT address, a source physical interface, a destination IP address, a destination service port, a destination area, a destination NAT type, a destination NAT address, a destination physical interface, an application layer proxy gateway, a strategy identifier, a strategy action, a strategy state, whether a strategy is recorded in a log or not, a strategy effective time period and description information of the strategy.

According to another embodiment of the present invention, the first parameter table generating module 501 is further configured to: reading a first configuration file of the source firewall, and acquiring the type of the source firewall according to the first configuration file; and converting the first configuration file into a first parameter table by executing a policy configuration conversion program corresponding to the type of the source firewall.

According to another embodiment of the present invention, when converting the first configuration file into the first parameter table, the first parameter table generating module 501 may further be configured to: extracting a device name from the first configuration file; extracting security policy element information from the first configuration file, and converting the security policy element information to obtain a policy identifier, a source firewall configuration parameter, a destination firewall configuration parameter and a port policy configuration parameter; generating a first parameter table according to the equipment name, the strategy identification, the source firewall configuration parameter, the destination firewall configuration parameter and the port strategy configuration parameter; wherein the source firewall configuration parameters include: a source region, a source IP address, a source NAT type, a source NAT address and a source physical interface; the target firewall configuration parameters include: a destination area, a destination IP address, a destination NAT type, a destination NAT address and a destination physical interface; the port policy configuration parameters include: the system comprises a source service port, a destination service port, an application layer proxy gateway, a policy action, a policy state, whether a policy records a log or not, a policy effective time period and description information of the policy.

According to another embodiment of the present invention, when converting the first configuration file into the first parameter table, the first parameter table generating module 501 may further be configured to: acquiring a source IP address from the security policy element information, and judging whether the source IP address has NAT mapping or not; if so, converting the source NAT type and the source NAT address in the security policy element information, and associating a source physical interface; then, converting the source IP address in the security policy element information and associating the source IP address with the source area; otherwise, directly converting the source IP address in the security policy element information and associating the source IP address with the source area; and taking the source area, the source IP address, the source NAT type, the source NAT address and the source physical interface as source firewall configuration parameters.

According to another embodiment of the present invention, when converting the first configuration file into the first parameter table, the first parameter table generating module 501 may further be configured to: acquiring a destination IP address from the security policy element information, and judging whether the destination IP address has NAT mapping or not; if yes, converting the destination NAT type and the destination NAT address in the security policy element information, and associating a destination physical interface; then, converting the destination IP address in the security policy element information and associating a destination area; otherwise, directly converting the destination IP address in the security policy element information and associating the destination IP address with a destination area; and the target area, the target IP address, the target NAT type, the target NAT address and the target physical interface are used as target firewall configuration parameters.

According to another embodiment of the present invention, when converting the first configuration file into the first parameter table, the first parameter table generating module 501 may further be configured to: acquiring relevant information of a service port from the security policy element information, and judging whether the connection mode of the service port is long connection; if yes, processing the long connection, and outputting a source service port, a destination service port and an application layer proxy gateway; otherwise, directly outputting the source service port, the destination service port and the application layer proxy gateway; converting the policy action, the policy state, whether the policy records a log or not, the policy effective time period and the policy description information in the security policy element information; and taking the output source service port, the output target service port, the output application layer proxy gateway, the converted strategy action, the strategy state, whether the strategy records a log or not, the strategy effective time period and the strategy description information as the port strategy configuration parameters.

According to yet another embodiment of the present invention, the configuration file generating module 502 may be further configured to: acquiring a strategy configuration conversion program corresponding to the type of a target firewall according to the type of the target firewall; and converting the first parameter table into a second configuration file by executing a policy configuration conversion program corresponding to the type of the target firewall.

According to another embodiment of the present invention, the configuration file generating module 502, when converting the first parameter table into the second configuration file, may further be configured to: extracting a device name from the first parameter table; extracting security policy element information from the first parameter table, and converting the security policy element information to obtain a policy identifier, a source firewall configuration parameter, a destination firewall configuration parameter and a port policy configuration parameter; generating a second configuration file according to the equipment name, the strategy identification, the source firewall configuration parameter, the destination firewall configuration parameter and the port strategy configuration parameter; wherein the source firewall configuration parameters include: a source region, a source IP address, a source NAT type, a source NAT address and a source physical interface; the target firewall configuration parameters include: a destination area, a destination IP address, a destination NAT type, a destination NAT address and a destination physical interface; the port policy configuration parameters include: the system comprises a source service port, a destination service port, an application layer proxy gateway, a policy action, a policy state, whether a policy records a log or not, a policy effective time period and description information of the policy.

According to another embodiment of the present invention, the configuration file generating module 502, when converting the first parameter table into the second configuration file, may further be configured to: generating a command line script for generating a second configuration file by executing a policy configuration conversion program corresponding to the type of the destination firewall according to the equipment name, the policy identifier, the source firewall configuration parameter, the destination firewall configuration parameter and the port policy configuration parameter; executing the command line script to generate a second configuration file.

According to another embodiment of the present invention, the configuration file generating module 502, when converting the first parameter table into the second configuration file, may further be configured to: acquiring a source IP address from the security policy element information, and judging whether the source IP address has NAT mapping or not; if so, converting the source NAT type and the source NAT address in the security policy element information, and associating a source physical interface; then, converting the source IP address in the security policy element information and associating the source IP address with the source area; otherwise, directly converting the source IP address in the security policy element information and associating the source IP address with the source area; and taking the source area, the source IP address, the source NAT type, the source NAT address and the source physical interface as source firewall configuration parameters.

According to another embodiment of the present invention, the configuration file generating module 502, when converting the first parameter table into the second configuration file, may further be configured to: acquiring a destination IP address from the security policy element information, and judging whether the destination IP address has NAT mapping or not; if yes, converting the destination NAT type and the destination NAT address in the security policy element information, and associating a destination physical interface; then, converting the destination IP address in the security policy element information and associating a destination area; otherwise, directly converting the destination IP address in the security policy element information and associating the destination IP address with a destination area; and the target area, the target IP address, the target NAT type, the target NAT address and the target physical interface are used as target firewall configuration parameters.

According to another embodiment of the present invention, the configuration file generating module 502, when converting the first parameter table into the second configuration file, may further be configured to: acquiring relevant information of a service port from the security policy element information, and judging whether the connection mode of the service port is long connection; if yes, processing the long connection, and outputting a source service port, a destination service port and an application layer proxy gateway; otherwise, directly outputting the source service port, the destination service port and the application layer proxy gateway; converting the policy action, the policy state, whether the policy records a log or not, the policy effective time period and the policy description information in the security policy element information; and taking the output source service port, the output target service port, the output application layer proxy gateway, the converted strategy action, the strategy state, whether the strategy records a log or not, the strategy effective time period and the strategy description information as the port strategy configuration parameters.

According to another embodiment of the present invention, the parameter table alignment module 504 is further configured to: and comparing the first parameter table with the second parameter table row by row and column by column.

According to another embodiment of the present invention, if the comparison result is that the first parameter table and the second parameter table are the same, the comparison is passed, otherwise, the comparison is not passed; and after the comparison, outputting a comparison result.

According to yet another embodiment of the invention, the policy configuration transformation program is implemented based on the Groovy language.

According to the technical scheme of the embodiment of the invention, a first parameter table is generated according to a first configuration file of a source firewall; processing the first parameter table according to the type of the destination firewall to obtain a second configuration file of the destination firewall, wherein the first configuration file cannot be identified by the destination firewall and the second configuration file cannot be identified by the source firewall; generating a second parameter table according to the second configuration file; the technical scheme that the first parameter table and the second parameter table are compared, and strategy configuration replacement is carried out after comparison is passed, so that the security strategy configuration file of a source firewall is automatically read and converted into the parameter tables of all manufacturers, and then the parameter tables are automatically converted into the security strategy configuration file of a target firewall, the efficiency and the accuracy of strategy configuration conversion are greatly improved, and the technical problems of high manual conversion error, long conversion time and low efficiency in actual work are solved. Meanwhile, bidirectional configuration conversion between the configuration file and the parameter table is supported, and contents of each row and each column of the parameter table are compared item by item, so that whether the strategy configuration before and after conversion is consistent or not is verified quickly, the problems of high manual conversion error, high requirement on skills of operation and maintenance personnel and the like are solved effectively, and the consistency, effectiveness, timeliness and universality of the configuration before and after firewall replacement are solved from the technical level.

Fig. 6 illustrates an exemplary system architecture 600 to which the method for policy configuration translation at firewall change or the apparatus for policy configuration translation at firewall change of embodiments of the present invention may be applied.

As shown in fig. 6, the system architecture 600 may include

terminal devices

601, 602, 603, a network 604, and a server 605. The network 604 serves to provide a medium for communication links between the

terminal devices

601, 602, 603 and the server 605. Network 604 may include various types of connections, such as wire, wireless communication links, or fiber optic cables, to name a few.

A user may use the

terminal devices

601, 602, 603 to interact with the server 605 via the network 604 to receive or send messages or the like. The

terminal devices

601, 602, 603 may have installed thereon various communication client applications, such as a firewall application, a web browser application, a search-type application, an instant messaging tool, a mailbox client, social platform software, etc. (by way of example only).

The

terminal devices

601, 602, 603 may be various electronic devices having a display screen and supporting web browsing, including but not limited to smart phones, tablet computers, laptop portable computers, desktop computers, and the like.

The server 605 may be a server providing various services, such as a background management server (for example only) providing support for shopping websites browsed by users using the

terminal devices

601, 602, 603. The backend management server may analyze and perform other processing on the received data such as the product information query request, and feed back a processing result (for example, target push information, product information — just an example) to the terminal device.

It should be noted that the method for policy configuration conversion during firewall replacement provided by the embodiment of the present invention is generally executed by the server 605, and accordingly, the apparatus for policy configuration conversion during firewall replacement is generally disposed in the server 605.

It should be understood that the number of terminal devices, networks, and servers in fig. 6 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.

Referring now to FIG. 7, a block diagram of a computer system 700 suitable for use with a terminal device or server implementing an embodiment of the invention is shown. The terminal device or the server shown in fig. 7 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present invention.

As shown in fig. 7, the computer system 700 includes a Central Processing Unit (CPU)701, which can perform various appropriate actions and processes in accordance with a program stored in a Read Only Memory (ROM)702 or a program loaded from a storage section 708 into a Random Access Memory (RAM) 703. In the RAM 703, various programs and data necessary for the operation of the system 700 are also stored. The CPU 701, the ROM 702, and the RAM 703 are connected to each other via a bus 704. An input/output (I/O) interface 705 is also connected to bus 704.

The following components are connected to the I/O interface 705: an input portion 706 including a keyboard, a mouse, and the like; an output section 707 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage section 708 including a hard disk and the like; and a communication section 709 including a network interface card such as a LAN card, a modem, or the like. The communication section 709 performs communication processing via a network such as the internet. A drive 710 is also connected to the I/O interface 705 as needed. A removable medium 711 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 710 as necessary, so that a computer program read out therefrom is mounted into the storage section 708 as necessary.

In particular, according to the embodiments of the present disclosure, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method illustrated in the flow chart. In such an embodiment, the computer program can be downloaded and installed from a network through the communication section 709, and/or installed from the removable medium 711. The computer program performs the above-described functions defined in the system of the present invention when executed by the Central Processing Unit (CPU) 701.

It should be noted that the computer readable medium shown in the present invention can be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present invention, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present invention, however, a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.

The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.

The units or modules described in the embodiments of the present invention may be implemented by software, or may be implemented by hardware. The described units or modules may also be provided in a processor, and may be described as: a processor comprises a first parameter table generation module, a configuration file generation module, a second parameter table generation module and a parameter table comparison module. Where the names of these units or modules do not in some cases constitute a limitation on the units or modules themselves, for example, the first parameter table generating module may also be described as a "module for generating a first parameter table from a first profile of a source firewall".

As another aspect, the present invention also provides a computer-readable medium that may be contained in the apparatus described in the above embodiments; or may be separate and not incorporated into the device. The computer readable medium carries one or more programs which, when executed by a device, cause the device to comprise: generating a first parameter table according to a first configuration file of a source firewall; processing the first parameter table according to the type of a destination firewall to obtain a second configuration file of the destination firewall, wherein the first configuration file cannot be identified by the destination firewall and the second configuration file cannot be identified by the source firewall; generating a second parameter table according to the second configuration file; and comparing the first parameter table with the second parameter table, and after the comparison is passed, performing policy configuration replacement.

The above-described embodiments should not be construed as limiting the scope of the invention. Those skilled in the art will appreciate that various modifications, combinations, sub-combinations, and substitutions can occur, depending on design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims

1. A method for policy configuration conversion during firewall replacement is characterized by comprising the following steps:

generating a first parameter table according to a first configuration file of a source firewall;

processing the first parameter table according to the type of a destination firewall to obtain a second configuration file of the destination firewall, wherein the first configuration file cannot be identified by the destination firewall and the second configuration file cannot be identified by the source firewall;

generating a second parameter table according to the second configuration file;

and comparing the first parameter table with the second parameter table, and after the comparison is passed, performing policy configuration replacement.

2. The method of claim 1, wherein the first parameter table and the second parameter table have a unified data structure, and comprise the following data items:

the system comprises a transmission protocol, a device name, a strategy identifier, a source IP address, a source service port, a source area, a source NAT type, a source NAT address, a source physical interface, a destination IP address, a destination service port, a destination area, a destination NAT type, a destination NAT address, a destination physical interface, an application layer proxy gateway, a strategy identifier, a strategy action, a strategy state, whether a strategy is recorded in a log or not, a strategy effective time period and description information of the strategy.

3. The method of claim 1, wherein generating the first parameter table based on the first configuration file of the source firewall comprises:

reading a first configuration file of the source firewall, and acquiring the type of the source firewall according to the first configuration file;

and converting the first configuration file into a first parameter table by executing a policy configuration conversion program corresponding to the type of the source firewall.

4. The method of claim 3, wherein converting the first configuration file into a first parameter table comprises:

extracting a device name from the first configuration file;

generating a first parameter table according to the equipment name, the strategy identification, the source firewall configuration parameter, the destination firewall configuration parameter and the port strategy configuration parameter;

wherein the source firewall configuration parameters include: a source region, a source IP address, a source NAT type, a source NAT address and a source physical interface;

5. The method of claim 4, wherein transforming the security policy element information to obtain the source firewall configuration parameters comprises:

acquiring a source IP address from the security policy element information, and judging whether the source IP address has NAT mapping or not;

if so, converting the source NAT type and the source NAT address in the security policy element information, and associating a source physical interface; then, converting the source IP address in the security policy element information and associating the source IP address with the source area;

otherwise, directly converting the source IP address in the security policy element information and associating the source IP address with the source area;

and taking the source area, the source IP address, the source NAT type, the source NAT address and the source physical interface as source firewall configuration parameters.

6. The method of claim 4, wherein transforming the security policy element information to obtain the destination firewall configuration parameters comprises:

acquiring a destination IP address from the security policy element information, and judging whether the destination IP address has NAT mapping or not;

if yes, converting the destination NAT type and the destination NAT address in the security policy element information, and associating a destination physical interface; then, converting the destination IP address in the security policy element information and associating a destination area;

otherwise, directly converting the destination IP address in the security policy element information and associating the destination IP address with a destination area;

and the target area, the target IP address, the target NAT type, the target NAT address and the target physical interface are used as target firewall configuration parameters.

7. The method of claim 4, wherein transforming the security policy element information to obtain the port policy configuration parameters comprises:

converting the policy action, the policy state, whether the policy records a log or not, the policy effective time period and the policy description information in the security policy element information;

and taking the output source service port, the output target service port, the output application layer proxy gateway, the converted strategy action, the strategy state, whether the strategy records a log or not, the strategy effective time period and the strategy description information as the port strategy configuration parameters.

8. The method of claim 1, wherein processing the first parameter table according to a type of a destination firewall to obtain a second configuration file of the destination firewall comprises:

acquiring a strategy configuration conversion program corresponding to the type of a target firewall according to the type of the target firewall;

and converting the first parameter table into a second configuration file by executing a policy configuration conversion program corresponding to the type of the target firewall.

9. The method of claim 8, wherein converting the first parameter table to a second configuration file comprises:

extracting a device name from the first parameter table;

generating a second configuration file according to the equipment name, the strategy identification, the source firewall configuration parameter, the destination firewall configuration parameter and the port strategy configuration parameter;

10. The method of claim 9, wherein generating a second configuration file according to the device name, the policy identifier, the source firewall configuration parameter, the destination firewall configuration parameter, and the port policy configuration parameter comprises:

executing the command line script to generate a second configuration file.

11. The method of claim 9 or 10, wherein the transforming the security policy element information to obtain the source firewall configuration parameters comprises:

12. The method of claim 9 or 10, wherein the transforming the security policy element information to obtain the destination firewall configuration parameter comprises:

13. The method according to claim 9 or 10, wherein the converting the security policy element information to obtain the port policy configuration parameter comprises:

14. The method of claim 1, wherein comparing the first parameter table to the second parameter table comprises:

and comparing the first parameter table with the second parameter table row by row and column by column.

15. The method of claim 1, wherein if the comparison result is that the first parameter table and the second parameter table are the same, the comparison is passed, otherwise the comparison is not passed;

and after the comparison, outputting a comparison result.

16. The method of claim 1, wherein the policy configuration translator is implemented based on a Groovy language.

17. An apparatus for policy configuration conversion during firewall replacement, comprising:

the first parameter table generating module is used for generating a first parameter table according to a first configuration file of the source firewall;

the configuration file generation module is used for processing the first parameter table according to the type of a destination firewall to obtain a second configuration file of the destination firewall, wherein the first configuration file cannot be identified by the destination firewall and the second configuration file cannot be identified by the source firewall;

the second parameter table generating module generates a second parameter table according to the second configuration file;

and the parameter table comparison module is used for comparing the first parameter table with the second parameter table and carrying out strategy configuration replacement after the comparison is passed.

18. An electronic device for policy configuration conversion during firewall replacement, comprising:

one or more processors;

a storage device for storing one or more programs,

when executed by the one or more processors, cause the one or more processors to implement the method of any one of claims 1-16.

19. A computer-readable medium, on which a computer program is stored, which, when being executed by a processor, carries out the method according to any one of claims 1-16.