Skip to content

Read and analyse Juniper SRX configuration from command line in order to graph rules, import policies in Excel, go recursively through address-set and more

License

Notifications You must be signed in to change notification settings

djaity/juniper-config-parser

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

20 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

juniper-config-parser

Synopsis

This parser will read the Juniper SRX config using SSH and pexpect.
The goal of this Juniper project is to dig into SRX configuration file very easily through Linux command line in order to

  • graph Zones and Rules
  • export Policies into Excel CSV format (having counters, rule's position, etc)
  • dig recursively into address-set
  • list SNAT & DNAT and export it into an Excel CSV format
  • list Application (port) to check doublon for example
  • historize configuration file (this will be done automatically through an option in command line, if resquested by users)

Code Example

  • list SRX's Zones, Address-Set, Address-Set of a specific Zone
    ./srx.py -lzone
    ./srx.py -laddrset
    ./srx.py -zoneaddrset Interne (this dig recursively into the address-set "Interne")

  • generate GraphViz file of all Policies between the zones DMZ & Interne
    ./srx.py -rulestree DMZ-Interne -graphviz > DMZ-Interne.viz

  • then, assuming Dot is installed on your system, the following command generate the JPEG representation of your Policies
    dot viz.viz -Tjpg -o DMZ-Interne.jpg

  • display some potential inconsistencies in your SRX configuration file
    ./srx.py -dspwarn

Motivation

This script has been first developed at Cergy Pontoise University by JT Graveaud, IT Network and Infrastructure Manager.
The first need of this script was to understand and to see policies, SNAT and DNAT more clearly in order to clean thousands of policies that became unreadable years after years.

Installation

Usage with Docker

The python environment can be build as a local docker container with all the dependencies installed automatically, so they don't need to be managed on the host computer.

Build the Docker image with tag 'config-parser' (the dot means that it uses the Dockerfile provided in the current directory):

docker build -t config-parser .

Start the container with a bind mount in order to keep files in the container in sync with the host:

docker run -v $(pwd):/juniper-config-parser -it config-parser bash

Quick starting User's guide & useful command lines:

  • 1/ First you need to set your config file "srx.conf"

$ cp srx_default.conf srx.conf

You need to edit this config file to set the srx_ip and srx_login of your SRX Device

srx_ip = 10.0.0.1
srx_login = user-ro

  • 2/ Then you need to encrypt your SRX password in order to avoid

storing the password in a text format
having a trace of the SRX password anywhere including in the bash history
retyping everytime the password in the command line

$ ../common/pysec.py --enc -k key_default.enc

  • 3/ eventually get all SRX configuration data and SRX counters to get all those information in a text format and manipulate those data without fetching the SRX all the time.
    This way you can historize SRX configuration file.

$ ./srx.py -getconf

Note: the command above generate the following configuration and counters in the txt Format stored in "./data" directory
show configuration | display xml
show configuration | display set
show security policies hit-count
show security policies
show security nat source rule all
show security nat destination rule all

After, those 3 very first steps, you can start using ./srx.py

Tests

Help on srx.py parameters : ./srx.py -h

Contributors

The contributor is today JT Graveaud,
but anyone who want to improve it to make it even more usefull to the entire community is really welcome.

License

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

About

Read and analyse Juniper SRX configuration from command line in order to graph rules, import policies in Excel, go recursively through address-set and more

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published