SRX Services Gateway
Highlighted
SRX Services Gateway

Converting ScreenOS(SSG140) to JunOS(SRX340)

Sunday

HI Community,

I'm using the S2J migration tool but having issues translating the below. If anyone can assist, I would greatly appreciate it! Thank you in advance! 

!
!

95:set alg appleichat enable
Line not yet supported by S2J
96:unset alg appleichat re-assembly enable
Line not recognized by S2J
97:set alg sctp enable
Line not yet supported by S2J
112:set admin format dos
Line not recognized by S2J
113:set zone "Trust" vrouter "trust-vr"
114:set zone "Untrust" vrouter "trust-vr"
115:set zone "DMZ" vrouter "trust-vr"
116:set zone "VLAN" vrouter "trust-vr"
Transparent mode is  not supported by the S2J tool yet.
117:set zone id 100 "Voice"
118:set zone id 101 "TESTZONE"
119:set zone id 102 "ServProc"
120:set zone "Untrust-Tun" vrouter "trust-vr"
Tunnel Zone is not supported in JUNOS
121:set zone "Trust" tcp-rst
122:set zone "Untrust" block
This is the default in JUNOS
123:unset zone "Untrust" tcp-rst
124:set zone "MGT" block
This is the default in JUNOS
125:unset zone "V1-Trust" tcp-rst
126:unset zone "V1-Untrust" tcp-rst
127:set zone "DMZ" tcp-rst
128:unset zone "V1-DMZ" tcp-rst
129:unset zone "VLAN" tcp-rst
Transparent mode is  not supported by the S2J tool yet.
130:unset zone "Voice" tcp-rst
131:unset zone "TESTZONE" tcp-rst
132:unset zone "ServProc" tcp-rst
133:set zone "Untrust" screen tear-drop
134:set zone "Untrust" screen syn-flood
135:set zone "Untrust" screen ping-death
136:set zone "Untrust" screen ip-filter-src
137:set zone "Untrust" screen land
138:set zone "V1-Untrust" screen tear-drop
139:set zone "V1-Untrust" screen syn-flood
140:set zone "V1-Untrust" screen ping-death
141:set zone "V1-Untrust" screen ip-filter-src
142:set zone "V1-Untrust" screen land
143:set interface "ethernet0/0" zone "Trust"
144:set interface "ethernet0/1" zone "DMZ"
145:set interface "ethernet0/2" zone "Untrust"
146:set interface "ethernet0/3" zone "ServProc"
147:set interface "ethernet0/4" zone "DMZ"
148:set interface "ethernet0/6" zone "Voice"
149:set interface "ethernet0/8" zone "Trust"
150:set interface "ethernet0/9" zone "Untrust"
151:set interface "tunnel.1" zone "Untrust"
This interface type is not supported in JUNOS
152:unset interface vlan1 ip
Line not recognized by S2J
153:set interface ethernet0/1 ip 192.168.2.254/24
154:set interface ethernet0/1 nat
NAT Mode is not supported in JUNOS
155:set interface ethernet0/2 ip 216.183.190.226/28
156:set interface ethernet0/2 route
This is the default in JUNOS
157:set interface ethernet0/3 ip 192.168.14.254/24
158:set interface ethernet0/3 nat
NAT Mode is not supported in JUNOS
159:set interface ethernet0/4 ip 192.168.3.254/24
160:set interface ethernet0/4 nat
NAT Mode is not supported in JUNOS
161:set interface ethernet0/6 ip 192.168.6.254/24
162:set interface ethernet0/6 nat
NAT Mode is not supported in JUNOS
163:set interface ethernet0/8 ip 192.168.1.254/24
164:set interface ethernet0/8 nat
NAT Mode is not supported in JUNOS
165:set interface ethernet0/8 ip 192.168.4.254 255.255.255.0 secondary
166:set interface ethernet0/8 ip 192.168.15.254 255.255.255.0 secondary
167:set interface ethernet0/9 ip x.x.x.x/30
168:set interface ethernet0/9 route
This is the default in JUNOS
169:set interface tunnel.1 ip unnumbered interface ethernet0/9
This interface type is not supported in JUNOS
170:set interface ethernet0/9 bandwidth egress mbw 51200 ingress mbw 51200
Line not recognized by S2J
171:set interface ethernet0/9 mtu 1500
172:unset interface vlan1 bypass-others-ipsec
Line not recognized by S2J
173:unset interface vlan1 bypass-non-ip
Line not recognized by S2J
174:set interface ethernet0/1 ip manageable
175:set interface ethernet0/2 ip manageable
176:set interface ethernet0/3 ip manageable
177:unset interface ethernet0/4 ip manageable
The interface is not IP managed
178:set interface ethernet0/6 ip manageable
179:set interface ethernet0/8 ip manageable
180:set interface ethernet0/9 ip manageable
181:set interface ethernet0/0 manage ping
182:set interface ethernet0/0 manage ssh
183:set interface ethernet0/0 manage telnet
184:set interface ethernet0/0 manage snmp
185:set interface ethernet0/0 manage ssl
SSL/Certificates must be manually installed and configured
186:set interface ethernet0/0 manage web
187:unset interface ethernet0/0 manage ident-reset
188:set interface ethernet0/0 g-arp
Line not recognized by S2J
189:set interface ethernet0/1 manage ping
190:unset interface ethernet0/1 manage ssh
191:unset interface ethernet0/1 manage telnet
192:set interface ethernet0/1 manage snmp
193:unset interface ethernet0/1 manage ssl
SSL/Certificates must be manually installed and configured
194:set interface ethernet0/1 manage web
195:unset interface ethernet0/1 manage ident-reset
196:set interface ethernet0/1 g-arp
Line not recognized by S2J
197:set interface ethernet0/2 manage ping
198:unset interface ethernet0/2 manage ssh
199:set interface ethernet0/2 manage telnet
200:set interface ethernet0/2 manage snmp
201:unset interface ethernet0/2 manage ssl
SSL/Certificates must be manually installed and configured
202:set interface ethernet0/2 manage web
203:unset interface ethernet0/2 manage ident-reset
204:set interface ethernet0/2 g-arp
Line not recognized by S2J
205:set interface ethernet0/3 manage ping
206:unset interface ethernet0/3 manage ssh
207:set interface ethernet0/3 manage telnet
208:set interface ethernet0/3 manage snmp
209:unset interface ethernet0/3 manage ssl
SSL/Certificates must be manually installed and configured
210:set interface ethernet0/3 manage web
211:unset interface ethernet0/3 manage ident-reset
212:set interface ethernet0/3 g-arp
Line not recognized by S2J
213:set interface ethernet0/4 manage ping
214:unset interface ethernet0/4 manage ssh
215:set interface ethernet0/4 manage telnet
216:set interface ethernet0/4 manage snmp
217:unset interface ethernet0/4 manage ssl
SSL/Certificates must be manually installed and configured
218:unset interface ethernet0/4 manage web
219:unset interface ethernet0/4 manage ident-reset
220:set interface ethernet0/4 g-arp
Line not recognized by S2J
221:set interface ethernet0/6 manage ping
222:set interface ethernet0/6 manage ssh
223:set interface ethernet0/6 manage telnet
224:set interface ethernet0/6 manage snmp
225:unset interface ethernet0/6 manage ssl
SSL/Certificates must be manually installed and configured
226:set interface ethernet0/6 manage web
227:unset interface ethernet0/6 manage ident-reset
228:set interface ethernet0/6 g-arp
Line not recognized by S2J
229:set interface ethernet0/8 manage ping
230:set interface ethernet0/8 manage ssh
231:set interface ethernet0/8 manage telnet
232:set interface ethernet0/8 manage snmp
233:unset interface ethernet0/8 manage ssl
SSL/Certificates must be manually installed and configured
234:set interface ethernet0/8 manage web
235:unset interface ethernet0/8 manage ident-reset
236:set interface ethernet0/8 g-arp
Line not recognized by S2J
237:set interface ethernet0/9 manage ping
238:unset interface ethernet0/9 manage ssh
239:set interface ethernet0/9 manage telnet
240:set interface ethernet0/9 manage snmp
241:unset interface ethernet0/9 manage ssl
SSL/Certificates must be manually installed and configured
242:set interface ethernet0/9 manage web
243:unset interface ethernet0/9 manage ident-reset
244:set interface ethernet0/9 g-arp
Line not recognized by S2J
245:set interface vlan1 manage ping
This is not supported by Junos
246:set interface vlan1 manage ssh
This is not supported by Junos
247:set interface vlan1 manage telnet
This is not supported by Junos
248:set interface vlan1 manage snmp
This is not supported by Junos
249:set interface vlan1 manage ssl
This is not supported by Junos
250:set interface vlan1 manage web
This is not supported by Junos
251:unset interface vlan1 manage ident-reset
Line not recognized by S2J
252:unset interface vlan1 g-arp
Line not recognized by S2J
253:set zone V1-Trust manage ping
Line not recognized by S2J
254:set zone V1-Trust manage ssh
Line not recognized by S2J
255:set zone V1-Trust manage telnet
Line not recognized by S2J
256:set zone V1-Trust manage snmp
Line not recognized by S2J
257:set zone V1-Trust manage ssl
Line not recognized by S2J
258:set zone V1-Trust manage web
Line not recognized by S2J
259:unset zone V1-Trust manage ident-reset
Line not recognized by S2J
260:set zone V1-Trust g-arp
Line not recognized by S2J
261:unset zone V1-Untrust manage ping
Line not recognized by S2J
262:unset zone V1-Untrust manage ssh
Line not recognized by S2J
263:unset zone V1-Untrust manage telnet
Line not recognized by S2J
264:unset zone V1-Untrust manage snmp
Line not recognized by S2J
265:unset zone V1-Untrust manage ssl
Line not recognized by S2J
266:unset zone V1-Untrust manage web
Line not recognized by S2J
267:unset zone V1-Untrust manage ident-reset
Line not recognized by S2J
268:set zone V1-Untrust g-arp
Line not recognized by S2J
269:set zone V1-DMZ manage ping
Line not recognized by S2J
270:unset zone V1-DMZ manage ssh
Line not recognized by S2J
271:unset zone V1-DMZ manage telnet
Line not recognized by S2J
272:unset zone V1-DMZ manage snmp
Line not recognized by S2J
273:unset zone V1-DMZ manage ssl
Line not recognized by S2J
274:unset zone V1-DMZ manage web
Line not recognized by S2J
275:unset zone V1-DMZ manage ident-reset
Line not recognized by S2J
276:set zone V1-DMZ g-arp
Line not recognized by S2J
277:unset zone V1-Null manage ping
Line not recognized by S2J
278:unset zone V1-Null manage ssh
Line not recognized by S2J
279:unset zone V1-Null manage telnet
Line not recognized by S2J
280:unset zone V1-Null manage snmp
Line not recognized by S2J
281:unset zone V1-Null manage ssl
Line not recognized by S2J
282:unset zone V1-Null manage web
Line not recognized by S2J
283:unset zone V1-Null manage ident-reset
Line not recognized by S2J
284:set zone V1-Null g-arp
Line not recognized by S2J
285:set interface ethernet0/4 dhcp server service
286:set interface ethernet0/6 dhcp server service
287:set interface ethernet0/4 dhcp server enable
288:set interface ethernet0/6 dhcp server enable
289:set interface ethernet0/4 dhcp server option lease 1440000
290:set interface ethernet0/4 dhcp server option gateway 192.168.3.254
291:set interface ethernet0/4 dhcp server option netmask 255.255.255.0
292:set interface ethernet0/4 dhcp server option dns1 8.8.8.8
293:set interface ethernet0/4 dhcp server option dns2 8.8.4.4
294:set interface ethernet0/4 dhcp server option dns3 4.2.2.2
295:set interface ethernet0/6 dhcp server option lease 1440000
296:set interface ethernet0/6 dhcp server option gateway 192.168.6.254
297:set interface ethernet0/6 dhcp server option netmask 255.255.255.0
298:set interface ethernet0/6 dhcp server option dns1 8.8.8.8
299:set interface ethernet0/6 dhcp server option wins1 8.8.4.4
300:set interface ethernet0/4 dhcp server ip 192.168.3.100 to 192.168.3.110
301:set interface ethernet0/6 dhcp server ip 192.168.6.100 to 192.168.6.229
302:unset interface ethernet0/4 dhcp server config next-server-ip
Line not recognized by S2J
303:unset interface ethernet0/6 dhcp server config next-server-ip
Line not recognized by S2J
310:set interface "ethernet0/9" mip x.x.x.x host 192.168.1.17 netmask 255.255.255.255 vr "trust-vr"
Corresponding policy statement not found for MIP. No rule-set created
314:unset flow no-tcp-seq-check
TCP No Seq Check is disabled by default
315:set flow tcp-syn-check
TCP Syn Check is on by default
316:unset flow tcp-syn-bit-check
Line not recognized by S2J
317:set flow reverse-route clear-text prefer
Line not recognized by S2J
318:set flow reverse-route tunnel always
Line not recognized by S2J
319:set console page 0
This Command is Operational Command in JUNOS
320:set hostname ssg140
321:set pki authority default scep mode "auto"
This is not supported by S2J yet
322:set pki x509 default cert-path partial
Line not yet supported by S2J
323:set dns host dns1 9.9.9.9 src-interface ethernet0/9
324:set dns host dns2 208.67.222.222 src-interface ethernet0/9
325:set dns host dns3 8.8.8.8 src-interface ethernet0/9
326:set dns host schedule 06:28
Cache Refresh is not tunable. The cache refresh is scheduled once per day.
334:set address "Trust" "192.168.1.170 /24" 192.168.1.170 255.255.255.0 "Video Conferencing System"
Invalid IP Address.Not accepted in Junos. Host IP should have /32 or 255.255.255.255 as mask. 
356:set address "Untrust" "18.72.0.3 /16" 18.72.0.3 255.255.0.0 "bitsy.mit.edu (time server)"
Invalid IP Address.Not accepted in Junos. Host IP should have /32 or 255.255.255.255 as mask. 
361:set address "Untrust" "192.168.55.0 /24" 192.168.55.0 255.255.255.0 "Remote 1385 Cambridge"
Route interface cannot be null. Please define the interface.
362:set address "Untrust" "192.43.244.18 /16" 192.43.244.18 255.255.0.0 "time.nist.gov"
Invalid IP Address.Not accepted in Junos. Host IP should have /32 or 255.255.255.255 as mask. 
363:set address "Untrust" "192.5.41.41 /24" 192.5.41.41 255.255.255.0 "tock.usno.navy.mil"
Invalid IP Address.Not accepted in Junos. Host IP should have /32 or 255.255.255.255 as mask. 
427:set group address "Untrust" "Time Servers"
428:set group address "Untrust" "Time Servers" add "18.72.0.3 /16"
Member Definition for "18.72.0.3 /16" is missing or the member is not being converted.
429:set group address "Untrust" "Time Servers" add "192.43.244.18 /16"
Member Definition for "192.43.244.18 /16" is missing or the member is not being converted.
430:set group address "Untrust" "Time Servers" add "192.5.41.41 /24"
Member Definition for "192.5.41.41 /24" is missing or the member is not being converted.
431:set group address "DMZ" "DMZ Servers"
432:set group address "DMZ" "DMZ Servers" add "192.168.2.25"
433:set group service "Allowed Services" comment "Ports open to PCA"
Application(s) in the group is/are not defined in config or did not convert.
434:set group service "Allowed Services" add "AOL"
Application(s) in the group is/are not defined in config or did not convert.
435:set group service "Allowed Services" add "Apple iCloud"
Application(s) in the group is/are not defined in config or did not convert.
436:set group service "Allowed Services" add "BlueBeam Studio"
Application(s) in the group is/are not defined in config or did not convert.
437:set group service "Allowed Services" add "CityofBostonStreaming"
Application(s) in the group is/are not defined in config or did not convert.
438:set group service "Allowed Services" add "DNS"
Application(s) in the group is/are not defined in config or did not convert.
439:set group service "Allowed Services" add "FTP"
Application(s) in the group is/are not defined in config or did not convert.
440:set group service "Allowed Services" add "Gaijin"
Application(s) in the group is/are not defined in config or did not convert.
441:set group service "Allowed Services" add "Gmail IMAP"
Application(s) in the group is/are not defined in config or did not convert.
442:set group service "Allowed Services" add "Gmail POP3"
Application(s) in the group is/are not defined in config or did not convert.
443:set group service "Allowed Services" add "Gmail SMTP"
Application(s) in the group is/are not defined in config or did not convert.
444:set group service "Allowed Services" add "HTTP"
Application(s) in the group is/are not defined in config or did not convert.
445:set group service "Allowed Services" add "HTTPS"
Application(s) in the group is/are not defined in config or did not convert.
446:set group service "Allowed Services" add "IM"
Application(s) in the group is/are not defined in config or did not convert.
447:set group service "Allowed Services" add "IMAP"
Application(s) in the group is/are not defined in config or did not convert.
448:set group service "Allowed Services" add "MAIL"
Application(s) in the group is/are not defined in config or did not convert.
449:set group service "Allowed Services" add "Masonry iQ"
Application(s) in the group is/are not defined in config or did not convert.
450:set group service "Allowed Services" add "MSN"
Application(s) in the group is/are not defined in config or did not convert.
451:set group service "Allowed Services" add "NetMeeting"
Application(s) in the group is/are not defined in config or did not convert.
452:set group service "Allowed Services" add "NTP"
Application(s) in the group is/are not defined in config or did not convert.
453:set group service "Allowed Services" add "PING"
Application(s) in the group is/are not defined in config or did not convert.
454:set group service "Allowed Services" add "POP3"
Application(s) in the group is/are not defined in config or did not convert.
455:set group service "Allowed Services" add "PPTP"
Application(s) in the group is/are not defined in config or did not convert.
456:set group service "Allowed Services" add "PrintRipper Activation"
Application(s) in the group is/are not defined in config or did not convert.
457:set group service "Allowed Services" add "pushy.me"
Application(s) in the group is/are not defined in config or did not convert.
458:set group service "Allowed Services" add "SFTP"
Application(s) in the group is/are not defined in config or did not convert.
459:set group service "Allowed Services" add "SketchUp"
Application(s) in the group is/are not defined in config or did not convert.
460:set group service "Allowed Services" add "SQL Database Engine"
Application(s) in the group is/are not defined in config or did not convert.
461:set group service "Allowed Services" add "SSH"
Application(s) in the group is/are not defined in config or did not convert.
462:set group service "Allowed Services" add "Streamer"
Application(s) in the group is/are not defined in config or did not convert.
463:set group service "Allowed Services" add "TELNET"
Application(s) in the group is/are not defined in config or did not convert.
464:set group service "Allowed Services" add "UDP-ANY"
Application(s) in the group is/are not defined in config or did not convert.
465:set group service "Allowed Services" add "WINFRAME"
Application(s) in the group is/are not defined in config or did not convert.
485:set group service "Mail Server" add "Time Servers"
486:set group service "Restricted Services" comment "Ports restricted from PCA"
Application(s) in the group is/are not defined in config or did not convert.
487:set group service "Restricted Services" add "AOL"
Application(s) in the group is/are not defined in config or did not convert.
488:set group service "Restricted Services" add "IRC"
Application(s) in the group is/are not defined in config or did not convert.
489:set group service "Restricted Services" add "MAIL"
Application(s) in the group is/are not defined in config or did not convert.
490:set group service "Restricted Services" add "NetMeeting"
Application(s) in the group is/are not defined in config or did not convert.
491:set group service "Restricted Services" add "PC-Anywhere"
Application(s) in the group is/are not defined in config or did not convert.
492:set group service "Restricted Services" add "POP3"
Application(s) in the group is/are not defined in config or did not convert.
493:set group service "Restricted Services" add "Real Media"
Application(s) in the group is/are not defined in config or did not convert.
494:set group service "Restricted Services" add "TALK"
Application(s) in the group is/are not defined in config or did not convert.
495:set group service "SMTP-Full"
496:set group service "SMTP-Full" add "SMTP"
497:set group service "SMTP-Full" add "SMTP2"
498:set user "Administrator" uid 1
499:set user "Administrator" ike-id u-fqdn "administrator@.com" share-limit 1
500:set user "Administrator" type ike
This is not supported in JUNOS
501:set user "Administrator" "enable"
502:set user-group "VPN Client Members" id 1
503:set user-group "VPN Client Members" user "Administrator"
504:set crypto-policy
Line not recognized by S2J
505:exit
506:set ike gateway "Remote P1385" address 75.147.54.82 Main outgoing-interface "ethernet0/9" preshare "/7b1CNK3N5aTItsVVECqjW/CQnniw5j0Vw==" sec-level compatible
507:set ike gateway "Remote P1385" nat-traversal
NAT-T is enabled by default
508:unset ike gateway "Remote P1385" nat-traversal udp-checksum
509:set ike gateway "Remote P1385" nat-traversal keepalive-frequency 0
Keep Alive Secounds should be between 0-300
510:set ike gateway "Remote PjsC" address 0.0.0.0 id "remotepjsc@.com" Aggr outgoing-interface "ethernet0/9" preshare "cWH/vA+zNZi17WsjncCGPi2wlan5Imj4jw==" proposal "pre-g2-des-md5"
511:set ike gateway "Remote PjsC" cert peer-ca all
512:set ike gateway "Remote PjsC" nat-traversal udp-checksum
NAT-T is enabled by default
513:set ike gateway "Remote PjsC" nat-traversal keepalive-frequency 5
514:set ike respond-bad-spi 1
515:set ike ikev2 ike-sa-soft-lifetime 60
Line not recognized by S2J
516:unset ike ikeid-enumeration
Line not recognized by S2J
517:unset ike dos-protection
Line not recognized by S2J
518:unset ipsec access-session enable
Line not recognized by S2J
519:set ipsec access-session maximum 5000
Line not recognized by S2J
520:set ipsec access-session upper-threshold 0
Line not recognized by S2J
521:set ipsec access-session lower-threshold 0
Line not recognized by S2J
522:set ipsec access-session dead-p2-sa-timeout 0
Line not recognized by S2J
523:unset ipsec access-session log-error
Line not recognized by S2J
524:unset ipsec access-session info-exch-connected
Line not recognized by S2J
525:unset ipsec access-session use-error-log
Line not recognized by S2J
526:set vpn "Remote P1385 VPN" gateway "Remote P1385" no-replay tunnel idletime 0 sec-level compatible
527:set vpn "Remote P1385 VPN" monitor optimized rekey
528:set vpn "Remote P1385 VPN" id 0xa bind interface tunnel.1
Interface not found or User did not choose to convert this interface
529:set vpn "Remote PjsC VPN" gateway "Remote PjsC" replay tunnel idletime 0 proposal "g2-esp-des-md5"
530:set url protocol websense
Line not recognized by S2J
531:exit
532:set vpn "Remote P1385 VPN" proxy-id check
Line not recognized by S2J
533:set vpn "Remote P1385 VPN" proxy-id local-ip 192.168.1.0/24 remote-ip 192.168.55.0/24 "ANY"
534:set vpn "Remote P1385 VPN" proxy-id local-ip 192.168.4.0/24 remote-ip 192.168.55.0/24 "ANY"
535:set vpn "Remote P1385 VPN" proxy-id local-ip 192.168.0.0/16 remote-ip 192.168.55.0/24 "ANY"
536:set vpn "Remote PjsC VPN" proxy-id local-ip 192.168.0.0/16 remote-ip 192.168.50.0/24 "ANY"
537:set policy id 66 name "TEMP EARTH BLOCK" from "Trust" to "Untrust"  "Email Servers" "Any" "ANY" deny
538:set policy id 66
539:exit
540:set policy id 56 name "Tunnel - JSC" from "Trust" to "Untrust"  "192.168.0.0 /16" "192.168.50.0 /24" "ANY" tunnel vpn "Remote PjsC VPN" id 0xb pair-policy 58 log
541:set policy id 56
542:exit
543:set policy id 35 name "vpn_with_srx" from "Trust" to "Untrust"  "192.168.0.0 /16" "192.168.55.0 /24" "ANY" permit log
544:set policy id 35
545:set log session-init
Line not recognized by S2J
546:exit
547:set policy id 55 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit
548:set policy id 55 disable
549:set policy id 55
550:exit
551:set policy id 67 name "HTTPS" from "Trust" to "Untrust"  "Any" "Any" "HTTPS" permit log
552:set policy id 67 disable
553:set policy id 67
554:set log session-init
Line not recognized by S2J
555:exit
556:set policy id 9 from "Trust" to "Untrust"  "192.168.0.0 /16" "Any" "Allowed Services" permit log
Application Group has application(s) that is/are not supported in JUNOS
557:set policy id 9
Missing Policy data Or Policy has an error and not being converted.
558:exit
559:set policy id 29 name "FTP" from "Trust" to "Untrust"  "192.168.0.0 /16" "MIP()" "ANY" permit
560:set policy id 29
561:exit
562:set policy id 64 name "JoinMe VOIP" from "Trust" to "Untrust"  "Any" "JoinMe VOIP" "JoinMe" permit
563:set policy id 64
564:exit
565:set policy id 1 name "Domain Controllers" from "Trust" to "Untrust"  "Domain Controllers" "Time Servers" "NetTime" permit log
566:set policy id 1
567:exit
568:set policy id 65 from "Trust" to "Untrust"  "192.168.1.14 /32" "Any" "SMTP-Full" permit
569:set policy id 65
570:set src-address "192.168.1.15 /32"
571:set src-address "192.168.1.18 /32"
572:set src-address "192.168.1.19 /32"
573:set src-address "192.168.1.23 /32"
574:set src-address "192.168.1.26 /32"
575:set src-address "Copiers"
576:exit
577:set policy id 7 name "IT Admin Workstations" from "Trust" to "Untrust"  "IT Admin Workstations" "Any" "ANY" permit log
578:set policy id 7
579:exit
580:set policy id 58 name "Tunnel - JSC" from "Untrust" to "Trust"  "192.168.50.0 /24" "192.168.0.0 /16" "ANY" tunnel vpn "Remote PjsC VPN" id 0xb pair-policy 56 log
581:set policy id 58
582:exit
583:set policy id 36 from "Untrust" to "Trust"  "192.168.55.0 /24" "192.168.0.0 /16" "ANY" permit log
584:set policy id 36
585:set log session-init
Line not recognized by S2J
586:exit
655:set policy id 69 name "TEMP-TITAN" from "DMZ" to "Trust"  "192.168.2.12 /32" "Any" "ANY" permit
656:set policy id 69 disable
657:set policy id 69
658:exit
659:set policy id 70 from "Untrust" to "DMZ"  "Any" "MIP()" "HTTP" permit
660:set policy id 70
661:set service "HTTPS"
662:set service "PING"
663:exit
664:set policy id 71 from "DMZ" to "Untrust"  "192.168.2.12 /32" "Any" "Allowed Services" permit
Application Group has application(s) that is/are not supported in JUNOS
665:set policy id 71
Missing Policy data Or Policy has an error and not being converted.
666:set service "Bitdefender BEST"
Missing Policy data Or Policy has an error and not being converted.
667:exit
668:set policy id 72 from "Untrust" to "Trust"  "Any" "MIP(50.204.118.199)" "HTTP" permit
669:set policy id 72
670:set service "HTTPS"
671:set service "FTP Server"
672:exit
673:set policy id 73 from "Trust" to "ServProc"  "Any" "Any" "HTTP" permit
674:set policy id 73
675:set service "HTTPS"
676:set service "PING"
677:set service "SSH"
678:exit
679:set policy id 74 from "ServProc" to "Untrust"  "Any" "Any" "HTTP" permit
680:set policy id 74 disable
681:set policy id 74
682:set service "HTTPS"
683:set service "PING"
684:set service "SMTP"
685:set service "SSH"
686:exit
687:set policy id 75 from "ServProc" to "Untrust"  "Any" "Any" "ANY" permit
688:set policy id 75
689:exit
690:set policy id 76 from "Untrust" to "ServProc"  "Any" "Any" "ANY" permit
691:set policy id 76
692:exit
693:set policy id 78 from "Trust" to "Voice"  "Any" "Any" "Call Manager" permit
694:set policy id 78
695:set service "HTTP"
696:set service "HTTPS"
697:set service "PING"
698:set service "VNC"
699:exit
700:set policy id 80 from "Voice" to "Untrust"  "Any" "Any" "ANY" nat src permit log
701:set policy id 80
702:set log session-init
Line not recognized by S2J
703:exit
704:set policy id 79 from "Voice" to "Untrust"  "Any" "Any" "PING" nat src permit log
705:set policy id 79 disable
706:set policy id 79
707:set service "SMTP-Full"
708:exit
709:set syslog config "192.168.1.17"
710:set syslog config "192.168.1.17" facilities local0 local0
711:set syslog config "192.168.1.17" log traffic
This is no distinction between traffic and event log in JUNOS
712:set syslog src-interface ethernet0/8
713:set webtrends config "192.168.1.17"
Line not recognized by S2J
714:set webtrends enable
715:set nsmgmt bulkcli reboot-timeout 60
This can't be translated as it requires changes in NSM database.NSM will make all necessary configuation changes when you add SRX device to NSM.
716:set ssh version v2
717:set ssh enable
718:set config lock timeout 5
Line not recognized by S2J
719:unset license-key auto-update
Line not recognized by S2J
720:set telnet client enable
Line not recognized by S2J
721:set ntp server "time.nist.gov"
722:set ntp server src-interface "ethernet0/2"
Line not yet supported by S2J
723:set ntp interval 60
Line not yet supported by S2J
724:set ntp max-adjustment 300
Line not yet supported by S2J
725:set snmp community "PRTG" Read-Write Trap-on traffic version v1
726:set snmp community "LPI" Read-Write Trap-on traffic version v1
727:set snmp host "LPI" 192.168.1.6/32  trap v1
Line not recognized by S2J
728:set snmp host "PRTG" 192.168.1.16/32  trap v1
Line not recognized by S2J
729:set snmp host "PRTG" 192.168.1.33/32  trap v1
Line not recognized by S2J
730:set snmp host "PRTG" 192.168.1.17/32  trap v1
Line not recognized by S2J
731:set snmp port listen 161
There is no equivalent in JUNOS
732:set snmp port trap 162
733:set snmpv3 local-engine id "0185042010000620"
Line not recognized by S2J
734:set vrouter "untrust-vr"
735:exit
736:set vrouter "trust-vr"
737:unset add-default-route
Line not recognized by S2J
738:set route 0.0.0.0/0 interface ethernet0/2 gateway x.x.x.x preference 20
739:set route 0.0.0.0/0 interface ethernet0/3 gateway x.x.x.x preference 20
740:set route 0.0.0.0/0 interface ethernet0/9 gateway x.x.x.x preference 10
741:set route 192.168.55.0/24 interface tunnel.1
Cannot determine next-hop.
742:exit
743:set vrouter "untrust-vr"
744:exit
745:set vrouter "trust-vr"
746:exit

 

2 REPLIES
SRX Services Gateway

Re: Converting ScreenOS(SSG140) to JunOS(SRX340)

Monday

There are a lot of red lines there Cat Sad

 

Try to break them into smaller chunks and fix.

 

For example:

1. AFAIK, JunOS does not have ALGs for Apple ichat and SCTP. So you may ignore them.

2. Anything to do with VLAN-X zones and interfaces can be ignored as they are connected to transparent mode deployment

3. The Blue lines, again - are deefault in JunOS

Regards,
Gokul
SRX Services Gateway

Re: Converting ScreenOS(SSG140) to JunOS(SRX340)

Monday

Remote access vpn and the tunnel interface lines will become dynamic vpn following these instructions.

 

https://www.juniper.net/documentation/en_US/junos12.1x46/topics/example/vpn-security-dynamic-example...

 

Inteface source NAT: 

154:set interface ethernet0/1 nat

 Is found on page 5 here:

https://kb.juniper.net/library/CUSTOMERSERVICE/technotes/Junos_NAT_Examples.pdf

 

Interface bandwidth policer:

170:set interface ethernet0/9 bandwidth egress mbw 51200 ingress mbw 51200

These get applied to either ingress / egress or both and can be controlled by parameters.

https://kb.juniper.net/InfoCenter/index?page=content&id=KB28161

 

These can be ignored.

302:unset interface ethernet0/4 dhcp server config next-server-ip
Line not recognized by S2J
303:unset interface ethernet0/6 dhcp server config next-server-ip
Line not recognized by S2J
310:set interface "ethernet0/9" mip x.x.x.x host 192.168.1.17 netmask 255.255.255.255 vr "trust-vr"
Corresponding policy statement not found for MIP. No rule-set created

 

If you confirm this is not in use you can ignore the statement.

310:set interface "ethernet0/9" mip x.x.x.x host 192.168.1.17 netmask 255.255.255.255 vr "trust-vr"
Corresponding policy statement not found for MIP. No rule-set created

If it is in use you would change to static nat on page 13 here

https://kb.juniper.net/library/CUSTOMERSERVICE/technotes/Junos_NAT_Examples.pdf

 

For these the issue is the name.

334:set address "Trust" "192.168.1.170 /24" 192.168.1.170 255.255.255.0 "Video Conferencing System"
Invalid IP Address.Not accepted in Junos. Host IP should have /32 or 255.255.255.255 as mask. 
664:set policy id 71 from "DMZ" to "Untrust"  "192.168.2.12 /32" "Any" "Allowed Services" permit
Application Group has application(s) that is/are not supported in JUNOS

the / character cannot be in an addres name in junos  change from:

"192.168.1.170 /24" to 192.168.1.170-24

Then run the conversion again and these should be all picked up and processed.

 

For the applications not recogized you will need to create them and add tot he group.

33:set group service "Allowed Services" comment "Ports open to PCA"
Application(s) in the group is/are not defined in config or did not convert.

specify the name, protocols and ports

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-application-identificati...

 

Looks like the policy converted so you only need to add the logging to the new policy

545:set log session-init
Line not recognized by S2J

https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/security-...

 

For syslog on the security policies

711:set syslog config "192.168.1.17" log traffic
This is no distinction between traffic and event log in JUNOS

you will configure via the event mode instructions.

https://kb.juniper.net/InfoCenter/index?page=content&id=KB16509

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home