Migrating client from ISA 2006 to Juniper SRX CLuster

[Berg0]

Hello, I'm in the process of redesigning a client network infrastructure. At the moment they are using M$ ISA server 2006 on the edge *shudder*. It's going to be replaces with an HA cluster of Juniper SRX's, but I'm not looking forward to manually recreating all of the firewall rules from scratch. Does anyone know of an easy way to to an export or NAT rules and ACLs from ISA, even a way to get them into a CSV with headers, so I could at least start out with a list of source/destination/protocol etc. Well over 100 rules that need to be ported over, so it's worth a little bit of effort I think.

 

[archivalbackup]

May not be the answer you are looking for, but this would be a great opportunity to go line-by-line through the rules and justify and document why each exception is there. Every time I review ACLs with clients there is always a 'oh shit I thought we took that out a long time ago' moment.

 

[Berg0]

that's pretty much the idea. I've got a great opportunity where we saved enough going with Juniper gear over the ASAs that were originally proposed that we're going to be able to build a new infrastructure in parallel with the old one, and cut over everything in one night. I'll be able to do a full test of all the required firewall rules because I'll have test SAN storage and VMware hosts.
My biggest problem with these ISA rules is that they have a bunch of IP names defined, and the IP name or network name will be shown instead of IP or network addresses