Last active
September 12, 2015 16:14
-
-
Save jamesallman/be3415fcdb926881a26e to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/perl | |
use strict; | |
use warnings; | |
my %HoH; | |
my %portgroups; | |
while (<>) { | |
next unless $. > 1; | |
chomp; | |
my @csv = split(/,/); | |
my ($epr, $source_ip, $destination_ip, $trf_port, $comments, $src_int, $dst_int) = ($csv[0], $csv[4], $csv[5], $csv[3], $csv[1], $csv[8], $csv[9]); | |
# Substitute portrange for high ports | |
if ($trf_port =~ /(tcp|udp)-(\d+)/) { | |
if ($2 >= 49152 && $2 <= 65535) { | |
$trf_port = { tcp => "GIgnite_high_ports_49152_to_65535", udp => "GP-49152-65535" }->{$1}; | |
} | |
} | |
$HoH{$epr}{source_ip}{$source_ip} = 1; | |
$HoH{$epr}{destination_ip}{$destination_ip} = 1; | |
$HoH{$epr}{trf_port}{$trf_port} = 1; | |
$HoH{$epr}{info_text}{$comments} = 1; | |
$HoH{$epr}{src_interface}{$src_int} = 1; | |
$HoH{$epr}{dst_interface}{$dst_int} = 1; | |
} | |
generate_source_groups(); | |
generate_destination_groups(); | |
generate_consolidated_services(); | |
# Generate policies | |
_config("firewall policy"); | |
foreach my $epr ( sort keys %HoH ) { | |
_edit("0"); | |
_set("srcintf", map { qq/"$_"/ } sort keys %{ $HoH{$epr}{src_interface} } ); | |
_set("dstintf", map { qq/"$_"/ } sort keys %{ $HoH{$epr}{dst_interface} } ); | |
_set("srcaddr", map { qq/"$_"/ } sort byip keys %{ $HoH{$epr}{source_ip} } ); | |
_set("dstaddr", map { qq/"$_"/ } sort byip keys %{ $HoH{$epr}{destination_ip} } ); | |
_set("service", map { qq/"$_"/ } @{ $HoH{$epr}{trf_port} } ); | |
_set("comments", map { qq/"$_"/ } sort keys %{ $HoH{$epr}{info_text} } ); | |
_set("action accept"); | |
_set("logtraffic all"); | |
_next(); | |
} | |
_end(); | |
sub println { | |
print @_ ? "$_[0]\n" : "\n"; | |
} | |
sub _config { | |
println("config @_"); | |
} | |
sub _edit { | |
println("edit \"@_\""); | |
} | |
sub _set { | |
println("set @_"); | |
} | |
sub _next { | |
println("next"); | |
} | |
sub _end { | |
println("end"); | |
} | |
sub byip { | |
my $aip; | |
my $bip; | |
if ($a =~ /(\d+)\.(\d+)\.(\d+)\.(\d+)/) { | |
$aip = $1 * 16777216 + $2 * 65536 + $3 * 256 + $4; | |
} | |
if ($b =~ /(\d+)\.(\d+)\.(\d+)\.(\d+)/) { | |
$bip = $1 * 16777216 + $2 * 65536 + $3 * 256 + $4; | |
} | |
$aip <=> $bip; | |
} | |
sub byport { | |
my $aprot; | |
my $aport; | |
my $bprot; | |
my $bport; | |
if ($a =~ /(tcp|udp)-(\d+)/) { | |
$aprot = $1; | |
$aport = $2; | |
if ($b =~ /(tcp|udp)-(\d+)/) { | |
$bprot = $1; | |
$bport = $2; | |
return $aprot cmp $bprot || $aport <=> $bport; | |
} | |
} | |
return $a cmp $b; | |
} | |
sub generate_source_groups { | |
_config("firewall addrgrp"); | |
foreach my $epr ( sort keys %HoH ) { | |
if ((keys %{ $HoH{$epr}{source_ip} }) >= 15) { | |
my $group = "src-" . (keys %{ $HoH{$epr}{info_text} })[0]; | |
_edit($group); | |
_set("member", map { qq/"$_"/ } sort byip keys %{ $HoH{$epr}{source_ip} }); | |
_next(); | |
%{ $HoH{$epr}{source_ip} } = ($group, 1); | |
} | |
} | |
_end(); | |
} | |
sub generate_destination_groups { | |
_config("firewall addrgrp"); | |
foreach my $epr ( sort keys %HoH ) { | |
if ((keys %{ $HoH{$epr}{destination_ip} }) >= 15) { | |
my $group = "dst-" . (keys %{ $HoH{$epr}{info_text} })[0]; | |
_edit($group); | |
_set("member", map { qq/"$_"/ } sort byip keys %{ $HoH{$epr}{destination_ip} }); | |
_next(); | |
%{ $HoH{$epr}{destination_ip} } = ($group, 1); | |
} | |
} | |
_end(); | |
} | |
sub generate_consolidated_services { | |
foreach my $epr ( sort keys %HoH ) { | |
$HoH{$epr}{trf_port} = [ consolidate($HoH{$epr}{trf_port}) ]; | |
} | |
_config("firewall service custom"); | |
foreach ( sort byport keys %portgroups) { | |
if ($_ =~ /(tcp|udp)-(\d+):(\d+)/) { | |
_edit($_); | |
_set("$1-portrange $2-$3"); | |
_next(); | |
} | |
} | |
_end(); | |
} | |
sub consolidate { | |
my @a; | |
my $prot; | |
my $lo; | |
my $hi; | |
my $save = sub { | |
my $obj; | |
if ($lo == $hi) { | |
$obj = "$prot-$hi" | |
} | |
else { | |
$obj = "$prot-$lo:$hi"; | |
$portgroups{$obj} = 1; | |
} | |
return $obj; | |
}; | |
foreach ( sort byport keys %{ $_[0] } ) { | |
if ( $_ =~ /(tcp|udp)-(\d+)/) { | |
if (!$prot) { | |
$prot = $1; | |
$lo = $2; | |
$hi = $2; | |
} | |
elsif ($1 ne $prot) { | |
push @a, $save->(); | |
$prot = $1; | |
$lo = $2; | |
$hi = $2; | |
} | |
elsif ($2 == $hi + 1) { | |
$hi = $2; | |
} | |
else { | |
push @a, $save->(); | |
$lo = $2; | |
$hi = $2; | |
} | |
} | |
else { | |
push @a, $_; | |
} | |
} | |
if ($prot) { | |
push @a, $save->(); | |
} | |
return @a; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment