Name Modified Size Downloads / Week Status
Totals: 9 Items   11.3 MB 16
User Guide 2013-11-17 11 weekly downloads
Screen Shots 2013-11-17 33 weekly downloads
Docs 2013-10-26 99 weekly downloads
360-FAAR 2013-10-19 22 weekly downloads
TestData 2013-05-25 11 weekly downloads
XML 2013-03-25 11 weekly downloads
SuperFAAR-v1.0.0-ReleaseNotes.txt 2014-06-22 55.4 kB 11 weekly downloads
README.txt 2013-11-17 32.6 kB 11 weekly downloads
360AnalyticsLtd-0.4.6.zip 2013-11-17 11.3 MB 1414 weekly downloads
360-FAAR README v0.4.6 ________ _______________ ________________ _____ __________ \_____ \ / _____/\ _ \ \_ _____/ _ \ / _ \\______ \ _(__ </ __ \ / /_\ \ ______ | __)/ /_\ \ / /_\ \| _/ / \ |__\ \\ \_/ \ /_____/ | \/ | \/ | \ | \ /______ /\_____ / \_____ / \___ /\____|__ /\____|__ /____|_ / \/ \/ \/ \/ \/ \/ \/ The latest version of this code can be found at http://sourceforge.net/projects/faar/ --------------------------------------------------------------------------------------------------- 360-FAAR (Firewall Analysis Audit and Repair) is an offline, command line, Perl firewall policy manipulation tool to filter, compare to logs, merge, translate and output firewall commands for new policies, in Checkpoint dbedit, Cisco PIX/ASA or ScreenOS commands, and its one file! Read Policy and Logs for: Checkpoint FW1 (in odumper.csv / logexport format), Netscreen ScreenOS (in get config / syslog format), Cisco ASA (show run / syslog format), 360-FAAR uses both inclusive and exclusive CIDR and text filters, permitting you to split large policies into smaller ones for virutalisation at the same time as removing unused connectivity. 360-FAAR supports, policy to log association, object translation, rulebase reordering and simplification, rule moves and duplicate matching automatically. Allowing you to seamlessly move rules to where you need them. TRY: 'print' mode. One command, and spreadsheet for your audit needs! Features --------------------------------------------------------------------------------------------------- * WRITTEN IN SIMPLE Perl - NEEDS ONLY STANDARD MODULES - IS ONE FILE * * Easy to Edit Menu Driven Text Interface * Capable of manipulating tens of thousands of rules, objects and groups * Handles infinitely deep groups * Capable of CIDR filtering connectivity in/out of policy rulebases. * Capable of merging rulebases. * Identifies existing connectivity in rulebases and policies * Automatically performs cleanup if a log file is provided. * Keeps DR connecitvity via any text or IP tag * Encryption rules can be added during policy moves to remove the "merge from" rules for traffic that would be encrypted by the time it reached the firewall on which the "merge to" policy is to be installed - sounds complicated but its not in practice - apropriate ike and esp rules should be added manually * Runs consistency checks on its own objects and rule definitions * Extendable via a simple elsif in the user interaction loop section. * * EASY TO EXECUTE: * ./360-faar.pl od=|ns=|cs=configfile[,logfile,natsfile] * . * CONFIG TYPES: - cisco soon! * od = logexported logs, object dumper format config, fwdoc format nat rules csv * ns = syslog format logs, screenos6 format config, nats are included in policy but not processed fuly yet, fwdoc format nats can be used though * cs = cisco asa syslog file, cisco ASA format config, - not ready yet * * OUTPUT TYPES: * od = output an odumper/ofiller format config to file, and print the dbedit for the rulebase creation to screen * ns = outputs netscreen screenos6 objects and policies (requires a netscreen config or zone info) * cs = cisco asa format config - running and almost ready... * * By default 360-FAAR accepts as many configs as you enter the command line. * Make an empty file called "fake" and and use this as the file name for logfiles if you want to process a config with NATS but no logfile. * Log file headders in fw1 logexported logs are found automatically so many files can be cated together * * FUTHER PROCESSING AND MANUAL EDITING: * Output odumper/ofiller format files and make them more readable (watchout for spaces in names) using the numberrules helper script * Edit these csv's in Openoffice or Excell using any of the object or group definitions from the three loaded configs. * You can then use this file as a template to translate to many different firewalls using the 'bldobjs' mode # 360-FAAR (Firewall Analysis, Audit, and Repair) # The purpose of this script is to provide detailed analysis of a firewalls configuration by combining logs and config #--------------------------------------------------------------------------------------------------- # Currently supported input amd output firewall config types are: #--------------------------------------------------------------------------------------------------- # - Cisco ASA: show run # - Netscreen ScreenOS 6: get config # - Checkpoint Firewall-1: odumper/ofiller csv format in, fwdoc nats in, dbedit out # - Many similar typed configs can be "cat'ed" together for comparison via 'print' modes or duplicates Data::Dumper prints # Currently supported input firewall log types are: #--------------------------------------------------------------------------------------------------- # - Cisco ASA: syslog text log # - Netscreen ScreenOS 6: syslog text log # - Checkpoint Firewall-1: logexport utility format, # - Many log files can be "cat'ed" together, in line log headers and prefixes are accounted for # This script is hopefully written in a way that will make its workings understandable to firewall and network engineers #--------------------------------------------------------------------------------------------------- # The latest version of this code can be found at http://sourceforge.net/projects/faar/ #--------------------------------------------------------------------------------------------------- # Version v0.4.6 - This release correctly translates output netscreen group names in comment lines and comments are output last. # - Empty groups are not matched in build_rules subs - should be irrevelavant, but just incase. # - Rule comments are output in 'set name' statements in policy id mode for netscreen rulebases. # - Netscreen rules 'name' strings are added with rule descriptions and net ranges are translated as ranges. # - Netscreen and checkpoint default services have been updated with a few new services definitions. # - 'rr' mode 'nat' defaults added - the same as 'yes' defaults with CIDR filter NAT translations switched on. # Version v0.4.5 - This release fixes rulebase output bugs when using the 'cl' option in 'rr' mode. # - Netscreen rulebase numbers now otput usable rule numbers in 'cl' rulebases. # - Also, hopefully the ctrl-c panic when reading logs is fixed. # - 'rr' mode 'log' defaults now switch off 'Any' rule to object and service object resolution. # - 'rr' mode 'res' defaults now switch on most resolution and matching options. # Version v0.4.4 - This release adds the "resolve services from 'Any' objects" option to the 'rr' mode. # This new 'rr' mode option requires that a log file is loaded and that the output policy is filtered using it. # When connectivity is found in the logs that matches a policy instance with the 'Any' service specified, the # proto and port from the logs are used in the output policy and resolved objects are not added to the source # config bundles but are reported during the rule build stages and should be added manually. # - Unknown service definitions are not output but are used in rules - cisco output uses unknown-proto in rules. # - Also, this release adds the "resolve 'Any' network objects to known nets" option to thr 'rr' mode. # This new 'rr' mode 'log' default resolves binary objects from the logs using all existing network objects # from the "merge from" config bundle, and uses them in the new policy. # Version v0.4.3 - This release adds the 'hc' option to build rules in 'rr' mode and arrange the most hit new rules at the top. # BEWARE: Hit count rules are not 100% reliable at present!!! Hit counts can be multiplied for multi IP objects. # - 'cl' mode rules now use the original global rule number instead of incrementing it by 1. # - The defaults for 'rr' mode rule builds have been changed - say no to ALL DEFAULTS to see new default options. # - Added 'log' defaults to 'rr' mode, this selects the same new defaults but chooses 'yes' in filter with logs. # - Nat rule dots printing is more frequent to give better visual output. # - Less dots are printed for log to rule matches in 'rr' mode. # - 'load' mode now doesnt try to load logs and nats from '.' when you skip loading these files # - Rules that are not logged with a rule number in checkpoint are now listed as rule 0 which hopefully resolves # the non numeric sort errors in 'rr' mode. # Version v0.4.2 - This release adds the 'cl' option to clean/filter original rules, in 'rr' mode. # This new rule build mode ungroups all existing rules connectivity filters and regroups # each rule seperately. # - The original rule build modes have been split and each can now output firewall commands. # - The 'rr' mode menu has been simplified further. # - Starting the script without any options now starts load mode to add at least one config. # - This release fixes a bug in the 'any' object matching, any will now be matched from logs. # - The rashfilter hash tree format has been changed to match the order of the other rule # processing hashes: mergebase, filterbase and rulegroups, this should reduce memory use slightly. # Version v0.4.1 - This release adds the 'mergelog' mode. This mode allows you to add binary log entries from one # config with another, this does not update the information output by 'print' mode but does update # the binary log information used by 'rr' mode. # - This release also significantly updates the user interface. You can now choose options using an # option number instead of the text value. # - Help is no longer printed if you start the script without any options. This allows all configs to # be loaded from the 'load' menu instead of specifying them on the command line. # - Added 'verbose' switches to 'print' and 'rr' modes so that screen output can be switches off. # - The netscreen output stage now uses a default zone if none are specified. # - Also, all 'end.' key words have been changed to simply '.' to reduce the number of keystrokes needed # for each rationalization. Entering '0' now adds all options and '.' chooses the default if availble. # Version v0.4.0 - This release changes the command line options and permits you to process as many configs as you choose # - Some MIP functionality was fixed in the Netscreen Reader sections. # - All config reading and processing has been refactored into subroutines. # - Three new modes have been added: # 'load' mode allows you to load new config bundles into an already running instance of 360-FAAR # 'copylog' mode associates a log file from one config with another loaded or new config. # 'help' mode prints info about all of the other modes # Undefined warnings have been resolved when using CTRL-C to exit the user loop. # Version v0.3.9 - This release permits you to to choose the types of rules and which rule actions to include in the # rule rationalization mode. Both the 'merge from' and 'filter' rulebases rule types can be chosen. # - The 'rr' mode rule unwrap code has been optimized. # Version v0.3.8 - This release adds Cisco ASA 8.3+ object NAT to the cisco reader section for static and dynamic NAT. # Network objects, ranges and IPs are translated - groups are not presently translated. # - Runnig the script with '--help' or '-h' or 'h' in the first arguement now prints the simple help screen. # - Two new options have been added to the 'rr' mode filters, to allow encryption rules from the merge from and to # rulebases to be used to mask later rules in the merge from rulebase. # - Matches output during 'rr' mode filtering are now listed using the source config bundle object names instead of # - the binary CIDR IP's. # Version v0.3.7 - This release fixes many of the bugs in the cisco reader and writer sections, # so that cisco configs can now be processed written, read processed and written again cyclicly # - Access lists using proto groups, specifying only protocol details or using 'any' services are now handled. # - Protocol group-objects are written and used in rules for service groups with different protocols specified within them. # - port-object's are read in service objects, service groups and protocol groups alike. # - The cisco 'echo' default service has been updated to remove tcp and udp from its listed ports. # Version v0.3.6 - This release resolves many of the problems with the filter sections, many of the undefined warnings are resolved. # - Both the speciffic and the subnet 'rr' mode filter sections have been upgraded to fix many of the issues related to # combining various filter mode types, and the filters behaviour should be much more predictable. # - The Cisco and od outut section definitions now print service defs for all defined proto types # Version v0.3.5 - This release introduces three new sub routines that are used to run much stronger consistency checks against the # internal network and service object, group and rule definitions after each round of processing. These new tests # provide much greater visibility of incomplete objects and rules and give details of any missing object elements. # - The netscreen reader now reads "interface dip" and rule "dip-id" statements and adds appropriate objects # and nat translation rules. # - Warnings are printed for unknown cisco object group-objects found in policies during the config read. # - NAT SRC DST translations in 'rr' mode now support range objects using the range start address only and network # objects are now translated to their network CIDR rather than the full binary IP. # - Various other updates to resolve "undefined" warnings # Version v0.3.4 - This release resolves Cisco ICMP default services with out printing stringified hash references in the cs output # - Also Cisco network and range objects are listed as such in object-groups instead of as hosts # - The cisco output writer uses 'object' in access-lists instead of IP NM, as well as listing range objects using 'range' # in access-lists as well as groups. I should probably just use 'object' but the key word is easily changed and # IMHO it makes the polices more readable # - The NAT translation now supports SRC NAT translation for known network objects in rr mode filters # Version v0.3.3 - This release adds Cisco ASA static nat statements to the nats table for IP IP NM and access-list nats. # - The < and > range identifiers used in ports are now striped before printing out Netscreen policies in rr mode. # - Some of the undefined warnings have been resolved # Version v0.3.2 - This release reads Netscreen interface vip statements and adds them to the NATs table # - The Cisco internal rule object type definitions that are added to rulebases built from ASA or PIX configs # have been corrected - these definitions are not used for anything yet. # - Further consistency checks have been added to the policy build sections to more easily identify problem objects. # - The NEW helper script htmlprintcsv.pl converts the 'print' mode output CSV file to HTML, run the script for info. # Version v0.3.1 - This release cleans up the output in the new columns, so that speciffic VPN and negation usage is easier to see. # The Cisco ASA/PIX reader has been upgraded so that it prints more user friendly info during the config read # and handles rules using protocol groups far better than before. # - The cisco config reader now also correctly reads negated source and dest services. # Version v0.3.0 - This release further updates the 'print' and 'fltprint' mode spreadsheets to include VPN tunnel usage info # and source / destination negation from the policy as well as "install on" info. # 'print' modes now include most all of the "important" details pulled from the configs and logs. # Version v0.2.9 - This release further upgrades the NAT analysis capabilities, more NAT details are listed in 'print' mode. # Version v0.2.8 - This release adds new columns to the 'print' mode spreadsheets to list the policy and log NAT translations. # The NAT rule processing is further updated to include log and policy information in the network objects. # Version v0.2.7 - This release completely dropps the previous NAT methodology and integrates NATs into the rule processing subs # and also sports a rewrite of the NAT structures and nat rule processing, this new method is much more robust # - Negated rules are now identified in Netscreen and excluded from rr mode rulebases # Version v0.2.6 - Corrected MIP interface NAT ANY service name and added nat dst ip statements to NATs tables # - Correctly reads disabled rules in netscreen and adds further checks to the rr mode rulebase builters # - Netscreen reader now reads tunnel vpn rules # Version v0.2.5 - Added 'end.' comments to rr mode "enter search INC EX string" instructions # - Added 'exit' to menu and tried to resolve looping issue when using CTRL-c ...did it work? # - This release also resolves netscreen MIP(ipaddr) objects from interface mip statements and adds them to the NATs # - Issues resolved: incorrect protocol definitions (used when merging between checkpoint - netscreen) are skipped, # and unknown rule types are skipped and reported - e.g. netscreen tunnel rules # Version v0.2.4 - Further updates the cisco policy writer and resolves issues with service group access lists # - This release also resolves a few cisco reader bugs that printed undefined warnings # Version v0.2.3 - Further updates to dbedit output - od mode now outputs object and service groups # - Dbedit output is also now printed straight to file # Version v0.2.2 - Added object output to dbedit text in od mode, and NOTE: statements to the policy reader sections. # - net and service_builder subs now catch and report circular groups and sub groups # - fixed several bugs in cisco object, group and rule readers and writers # - changed proto port and toZone fromZone divider character from . to ~ # Version v0.2.1 - Removed default service definitions that were not recognised in FW-1 r75.10 and caused dbedit policy build to fail. # Version v0.2.0 - Changed project status to BETA - feedback needed!!! # - Signigicantly upgraded the cisco object readers and writers and added more object checks to the netscreen and odumper # readers, plus fixed the policy src print field and many other bugs # Version v0.1.9 - Log to binary log conversion now writes log and rule usage hits to netobjects and 'print' mode prints this info # - The log object resolution matches to the most specific CIDR range, to properly match traffic to rules use 'rr' mode # - Print mode also now lists src and dst service associations from rules for each object # Version Updated netscreen obj reader to flag DNS names in set address cmd's and capture service timeout cmd's # - Thanks to M.T. for flagging these issues so concicely!! Let me know if you want your name here if you read this. # Version v0.1.8 - Added cisco policy output subroutine and sub groups to cisco reader # Version Fixed underfined warning in checkpoint log file reader for logs without service_id field. # Version v0.1.7 - Fixed autovivication problem in bin log zone check, rule comments on original filtered rules, netscreen # Any object name fixed, cisco apen protocol rules improved, add_srvc protocol issue fixed and log reader added. # Version v0.1.6 - Bug Fixed and improved 'print' mode, fixed duplicate issue in cs mode, and many more bugs fixed in # in the cisco asa rule reading, as well as fixing misses in the binary log translation service matches. # - the improved print mode gives object duplicates, supernets, subnets, hosts on nets, rule obj usage etc. # - Added the 'fltprint mode', that filters the object analysis spreadsheet as its output # Version v0.1.5 - ASA/PIX reader working well, new 'print' mode working, better named and organised subs # - print mode is a little noisy (warnings) but the warnings are for window dressing that is missing # Version v0.1.3 - better bldobj mode and notes and zone mappings sorted in netscreen out, and groups translated # - service groups translated and odumper service group field spelling corrected. # This program was writen by Dan Martin of 360 Analytics Ltd. #--------------------------------------------------------------------------------------------------- # www.360-faar.com dan@360-faar.com +44 7960 028 070 <- no one has ever called me on this number #--------------------------------------------------------------------------------------------------- # Copyright (C) 2009-2013 Dan Martin # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. #--------------------------------------------------------------------------------------------------- You can find marketing schpeel in the Docs folder - Un-Stirring The Jam is probably the best doc. Test Data, Console input, the output files and the console output are in the TestData folder Put all the test data files, not the output files, in the same folder as 360-faar.pl, run the following command: ./360-faar.pl od=TestData.csv od=TestData2.csv od=TestData3.csv hit return when asked, copy paste the commands in 360-faar.pl-Testinput.txt from the 'rr' to the end of the file, into the terminal and take a look at the output... The helper scripts are tiny but useful and may give you ideas about how to get what you want out of 360-faar They are in the 360-FAAR/HelperScripts folder Get this simple help by running just 360-faar.pl with --help --------------------------------------------------------------------------------------------------- dan@fatboy:~$ ./360-faar.pl --help ________ _______________ ________________ _____ __________ \_____ \ / _____/\ _ \ \_ _____/ _ \ / _ \\______ \ _(__ </ __ \ / /_\ \ ______ | __)/ /_\ \ / /_\ \| _/ / \ |__\ \\ \_/ \ /_____/ | \/ | \/ | \ | \ /______ /\_____ / \_____ / \___ /\____|__ /\____|__ /____|_ / \/ \/ \/ \/ \/ \/ \/ ========================================================================================= 360 Analytics Ltd. Firewall Analysis Audit and Repair ========================================================================================= 360-FAAR Copyright (C) 2009-2013 Dan Martin This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions; see the GPLv3 license. 360-faar.pl v0.4.6 Help --------------------------------------------------------- How to run: --------------------------------------------------------- ./360-faar.pl od=|ns=|cs=config_file[,log_file,nat_file] eg: to run the TestData files provided in the 360AnalyticsLtd.zip, copy them to the 360-FAAR folder and run: ./360-faar.pl od=TestData.csv od=TestData2.csv od=TestData3.csv you can cat many log files together, checkpoint and syslog headers are recognised within the new log file if you dont have a file, touch (create) a file called fake and use this as a place holder CONFIG[,LOG,NAT] TYPES SUPPORTED: --------------------------------------------------------- odumper/ofiller format: od= (csv format config), (checkpoint logexported logs), (fwdoc format nats) eg: ./360-faar.pl od=configfile.csv eg: ./360-faar.pl od=configfile.csv,logexport.log eg: ./360-faar.pl od=configfile.csv,logexport.log,fwdocnats.csv netscreen screenos format: ns= (screenos6 "get config" format config), (syslog format netscreen logs), (fwdoc nats (not required but option)) eq: ./360-faar.pl ns=configfile.txt eg: ./360-faar.pl ns=configfile.txt,syslog.txt eg: ./360-faar.pl ns=configfile.txt,syslog.txt,fwdocnats.csv cisco pix or asa format: cs= (pix asa 8.3+ config), (syslog format pix asa logs), (fwdoc nats (not required but option)) eg: ./360-faar.pl cs=configfile.txt eg: ./360-faar.pl cs=configfile.txt,syslog.txt eg: ./360-faar.pl cs=configfile.txt,syslog.txt,fwdocnats.csv And heres the intro screen with instructions: --------------------------------------------------------------------------------------------------- ----------------------------------------------------------------------------------------- STARTING USER INTERACTION LOOP ...hit enter! ________ _______________ ________________ _____ __________ \_____ \ / _____/\ _ \ \_ _____/ _ \ / _ \\______ \ _(__ </ __ \ / /_\ \ ______ | __)/ /_\ \ / /_\ \| _/ / \ |__\ \\ \_/ \ /_____/ | \/ | \/ | \ | \ /______ /\_____ / \_____ / \___ /\____|__ /\____|__ /____|_ / \/ \/ \/ \/ \/ \/ \/ ========================================================================================= 360 Analytics Ltd. Firewall Analysis Audit and Repair ========================================================================================= 360-FAAR Copyright (C) 2009-2013 Dan Martin 360-FAAR v0.4.6 MENU: ------------------------------------ print = Prints the 360-FAAR Object Analysis Spreadsheet. fltprint = Prints a filtered Object Analysis Spreadshset in the same format as 'print' mode. rr = Rationalize Rules and generate new rule bases, or clean/filter existing rules. bldobj = Read rules in odumper/ofiller format and identify objects and groups needed to build them. load = Load a new config bundle. Loading an existing config name will overwrite the existing config. copylog = Associate an existing log with a different config. The original log will be over written. mergelog = Merge a binary log from one config with another. help = Print help info to screen. exit = EXIT the script. --------------------------------------------------------- Chose one: help _ _ _ __ __ | || |___| |_ __ | \/ |___ _ _ _ _ | __ / -_) | '_ \ | |\/| / -_) ' \ || | |_||_\___|_| .__/ |_| |_\___|_||_\_,_| |_| 360-FAAR v0.4.6 HELP MENU: ------------------------------------ print = Prints the details relating to all objects name, ip, rule and policy usage, group membership, supernets, subnets, hosts on networks, etc to a headded CSV, and a reduced csv to the screen for info. fltprint = Prints the same format object analysis spreadsheet as 'print' and allows you to specify inclusive and exclusive, text and CIDR filtering of the objects output. rr = Rationalize selected rules together and filter using CIDR and strings if required Pull encryption rules from a second config (if traffic is encrypted between to and from firewalls) Merge to a third firewall cluster and match and filter existing connectivity out of new rules. This process can also translate objects and groups and gives details in the od, cs and ns output stage in the commemts section of the object definitions. This mode has three rule build methods. The dst src, service, and original rule filter and regroup. bldobj = Resolve rule objects from odumper format file and translate objects and rules to a new firewall cluster Identify objects from the file using two of the loaded configuations and enter a third to translate objects to and write details to the comments. USE this mode to allow you to read modified or new rulebases and associate objects from the configs before writing the dbedit to make the rules to the screen and an od format file load = Load a new config bundle. Loading an existing config name will overwrite the existing config. This mode allows you to add new config bundles to an already runing instance of 360-FAAR. With this mode, and copylog mode, you can load an updated config file and associate an already loaded log for use in rr mode rationalizations copylog = Associate an existing log with a different config. The original log will be over written. This mode copies log information for rr mode rationalizations only, print mode info will be unaffected. mergelog = Merge a binary log from one config with another config. The FROM log entries will be merged with the destination TO log entries. Use this mode to update an existing configurations binary log info. exit = EXIT the script. Output Types: ------------------------------------ od = The legendary odumper/ofiller format with rules on, defaults on, object checking off and nats in the legendary fwdoc csv file format rr mode - Outputs odumper format files of its suggested policies, and at the moment uses a blank field for "Any" rules so that the files can be read by ofiller, and you can diff mine and fillers dbedit output for double consistency!!. It also the dbedit to create the rulebase to the screen. The dbedit objects and groups are translated, the csv file is not bldobj mode - outputs the same file and dbedit but keeps comments and rules from the input config - use the numberrules helper script to make the csv's more readable, modify the csv's and then read them in this or odumper format using the bldobj mode. The dbedit and the csv files objects and groups are translated, rule comments are kept ns = Netscreen ScreenOS 6 format, you need supply either a netscreen config to merege to, or ZONE IP NM statements when you output the commands to update the firewalls, or both, if you want to override the configs default route zone cs = Cisco. Output objects and groups in ASA 8.4+ format, and rules as ACE's in an access list name specified during the output stage. --------------------------------------------------------- ----------------------------------------------------------------------------------------- Hit Enter to return to the menu...
Source: README.txt, updated 2013-11-17