Hi, I am not, but I'm deploying two logical systems on a test SRX I have, I will add a few policies, check if it gives me the same output as the production one, and if it does I will send that one over. Any potential fix should be valid for the production boxes also. Not sure if I will make it today due to some other tasks but I'll keep in touch max tomorrow. Thanks

No worries...lab test mgmt is ready on my end.

I only worked once with SRX, was challenging, to say the least. As far as Cisco FTD, while back, not recently, so not sure how much it changed.

To be honest, I've had a bad experience with SRX and FTD.
We once lost a lucrative customer, a bank, because of Juniper and SRX.
We had only recently acquired the customer and, at their request, migrated an important cluster to SRX. Then an upgrade was due, and during the change we had a split brain situation. Even the Juniper experts present couldn't find the cause at first. Until a colleague of mine found out in a user group that the behaviour of sync traffic in VLAN had changed with the new release and how to revert it. But that was still enough for the customer to kick us out.
As for FTD, we once set up a two-tier DMZ environment. Checkpoint on the inside and FTD on the outside. Again, after an FTD upgrade, every few days the FTD cluster decided to reject all DNS requests to the outside. The only workaround until a patch version was delivered was to reboot the nodes. Simultaneously.
Since these incidents, I have not wanted to have anything to do with either of them.

Im never gonna forget the call I had once with Cisco support guy about FTD when it was somewhat new and I could tell even he was not familiar with it, so I genuinly felt bad, but you know how it goes when we have to help our own clients.

Anyway, after some time, I could tell we were not going anywhere and I asked him if he could maybe escalate the case and he says to me ( NOT paraphrasing) "You know Mr Andy, I will be 100% honest with you, I can escalate this case, but next engineer will probably know less than me about this"

Gave me good laugh LOL

Yes I know well the issue to have to support the customers but now I am at the customer side.

An I as well had times where I frequently had to fight with tac to get an engineer that was not less experienced and qualified than myself. But I will not name the vendor 

Truth be told, it could happen with any vendor, specially when there is lots of pressure to fix the problem right over the phone. I recall once with Cisco, lady was so persistent wanting to fix the problem, I had to tell her 10 times I was going to miss the flight to Bora Bora if we go over 6 pm lol

Anyway, we all know how stressfull IT world can be...

@robertp If you are allowed to send any config files, I got time Wednesday to try and see if import works via smartmove tool.

Hey, sorry for the delay. Attaching an xml from a test firewall I configured. The firewall looks like this:

root logical system:

1 zone-to-zone policy

1 global deny policy

two logical systems (WAN and WWW) each have the same policies:

2 zone-to-zone policies and 1 global policy

When using smartmove I get the zone-to-zone policy from root and a lot of deny rules ( I guess some are the implied rules that Juniper has by default). The result is exactly the same as for the production firewall.

Reg the comments about vendors - SRX is a good L3 firewall, more stable and easier to configure than any other I worked on. It is definitely not a next-gen firewall, even though the vendor says so. As we all know - every vendor has it's problems. I don't even want to start talking about various TAC engagements (for any vendor) as I want to keep it civilized 😉

I proposed a migration from the SRX to CP to the customer and honestly it has been one large headache till now. The outcome might be worth it in the end but not yet... If the smartmove tool doesn't work it will be yet another delay (possibly a large one now as someone will have to go and rewrite the policies by hand).

Thank you! Give me some time, as I have large Fortigate -> CP cutover tomorrow, so that takes priority. But, I will definitely give this a go today and update you.

@robertp Just realized I got an hour to spare, so let me try this now. Otherwise, will continue this afternoon and update you.

No worries, freeze period starting soon anyway, I won't have much else to do than try to fix it for some time so it's not super urgent right now. Much appreciated!

Not to sound cheese or corny now, but I always look at this comunity as brotherhood/sisterhood, so we are here to always help, so I will certainly test it and let you know the results mate.

Stand by 🙂

@robertp 

I got no clue if this looks right, but this is what it gave me, took literally 10 mins.

Hi,

It doesn't I'm afraid, the policies that are under logical-systems in the SRX are not here at all. Normally in a perfect world there should be 3 policies generated from this xml - one root, one called WWW and one WAN. It's also fine(ish) if they generate all in one policy and I could just separate them myself. For example, in your import you cannot see the two below policies, because they are under the 'logical-systems' section:

So how many rules you say should be there all together?

At least 8, maybe more if it also imports the implied rules which it seems it does. If that's the case then 11.

5 rules with permits and custom objects, and the rest denies.

I bet some rules are not in the format CP would "understand". I re-ran the scripts, it did show 8 rules when convertion, but then when I ran it, even after I did chmod and dos2unix on script files, gave exact same thing. I hate to ask you this, but you have any other file I can try this afternoon?

I'm afraid no, but it is the simplest of the simple. There is no way to make a more clear policy, so if the tool can't understand it then it will not work for anything more complex. I added 2 more rules to the root system so it's more visible what is generated. Also attached screenshots of how the rulesets should look like in the same 7z file.

Cool, let me try that one as well.

Sadly, no dice. I will wipe test mgmt this afternoon and try again, but even with new files, gives me exact same thing.

But, oddly enough, when I do the conversion, shows me this.

I am pretty sure it just adds up the explicit deny rules. I just tried a production firewall with few hundred rules (see the line count) in it, and it only gave me 10 rules. The rule setup is similar like in my lab example - just 1 rule in the root logical system and a ton of rules under separate logical systems.

I wont give up, stand by, lets see if we can make it work.

Just a thought...can you compare those 10 rules with other ones and see if there are any differences that could explain this?

Hey bro.

If you got the script, happy to try it in the lab and see what happens.

Of course, broth, I was verifying in my Info Library, I had this Git Hub link.

I'm not sure if it's usetful but I share it.

Regards,

JS