Release Notes: This is the first release of 360-FAAR Enhanced. This version of 360-FAAR supports all original functionality and enhances this by adding "complex" processing modes which retain the firewall rulebases structure and are also capable of handling complex enterprise firewall policies with very high fidelity. Drop, Reject, and Encrypt rule structures are maintained as well as Accept rules. This is a separate code branch from 360-FAAR 0.4.x.
Release Notes: This release fixes netscreen group name translation bugs. Empty groups are not matched in build_rules subs. Comments are output in 'set name' statements in policy id mode for netscreen rulebases. Netscreen rule 'name' strings are added with rule descriptions, and net ranges are translated as ranges. Some default services have been updated with a few new services definitions. 'rr' mode 'nat' defaults have been added, the same as 'yes' defaults with CIDR filter NAT translations switched on.
Release Notes: This release fixes rulebase output bugs when using the 'cl' option in 'rr' mode. Netscreen rulebase numbers now output usable rule numbers in 'cl' rulebases. The ctrl-c panic when reading logs is fixed. 'rr' mode 'log' defaults now switch off 'Any' rule to object and service object resolution. New 'rr' mode 'res' defaults now switch on most resolution and matching options.
Release Notes: This release adds the 'hc' option to build rules in 'rr' mode and arrange the most hit new rules at the top. Beware: hit count rules are not 100% reliable at present. Hit counts can be multiplied for multi IP objects. 'cl' mode rules now use the original global rule number instead of incrementing it by 1. The defaults have been changed slightly, and a 'log' defaults option added. This release fixes a bug in 'load' mode trying to load files from '.', and Checkpoint rules that are not logged with a rule number are handled now.
Release Notes: This release adds the 'cl' option to clean/filter original rules, in 'rr' mode, and allows output of service priority rules as well as the original dst src priority rule build. The 'rr' mode menu has been simplified further. Starting the script without any options now starts load mode to add at least one config. This release fixes a bug in the 'any' object matching, any should now be matched from logs. The rashfilter hash tree format has been changed to match the order of the other rule processing hashes: mergebase, filterbase, and rulegroups; this should reduce memory use slightly.
Release Notes: This release adds the 'mergelog' mode to merge binary log entries from one config with another and significantly updates the user interface. All configs can be loaded from the 'load' menu instead of specifying them on the command line. This release adds 'verbose' switches to 'print' and 'rr' modes so that screen output can be switched off, and all 'end.' key words have been changed to simply '.' to reduce the number of keystrokes needed. Entering '0' now adds all options, and '.' chooses the default if available. The netscreen output stage now uses a default zone if none are specified.
Release Notes: This release permits you to to choose the types of rules and which rule actions to include in the rule rationalization mode. Both the 'merge from' and 'filter' rulebases rule types can be chosen. The 'rr' mode rule unwrap code has been optimized.
Release Notes: This release fixes many of the bugs in the Cisco reader and writer sections. Cisco configurations can now be processed, written, re-read, processed, and written again cyclically. Access lists using proto groups, specifying only protocol details or using "ip/any" services, are now handled. Protocol group objects are written and used in rules for service groups with many different protocol types specified within them. "port-objects" are read in service objects, service groups, and protocol groups alike. The Cisco "echo" default service has been updated to remove TCP and UDP from its listed ports.
Release Notes: This release resolves many of the problems with the filter sections; as many of the undefined warnings as the author could find are now fixed. Both the specific and the subnet 'rr' mode filter sections have been upgraded to fix many of the issues related to combining various filter mode types, and as a result, the filters behavior should be much more predictable. The Cisco and od output section definitions now print service defs for all defined prototypes.
Release Notes: This release includes much stronger consistency checks against the internal network and service object, and group and rule definitions after each round of processing. The netscreen reader now reads "interface dip" and rule "dip-id" statements and adds appropriate objects and NAT translation rules. Warnings are printed for unknown Cisco object group objects found in policies during the configuration read. NAT SRC DST translations in "rr" mode now support range objects using the range start address only, and network objects are now translated to their network bits only.