■SRXの{address,service} {address,service}-set policiesのCSV出力 $ echo {address,service} {address,service}-set policies address service address-set service-set policies ■addressのCSVを取得 descriptionを設定していないので、以下のように簡単に取り出せる。 $ ssh 172.16.76.203 "show configuration | display set | match \"address-book address \"" | \ awk 'BEGIN{OFS=",";print "Zone,Name,IP/Subnet"}{print $5,$(NF-1),$NF}' > addresslist.csv $ cat addresslist.csv Zone,Name,IP/Subnet L3-Trust,vmnet1.100,172.16.76.100/32 L2-Trust,vmnet8.100,192.168.152.100/32 L2-Trust,vmnet8.host,192.168.152.1/32 L2-Trust,vmnet8.dns,192.168.152.2/32 ■address-setのCSVを取得 $ ssh 172.16.76.203 "show configuration | display set | match \"address-book address-set \"" | \ awk 'BEGIN{OFS=",";print "Zone,Name,IP/Subnet"}{print $5,$(NF-2),$NF}' > addressgrouplist.csv $ cat addressgrouplist.csv Zone,Name,IP/Subnet L3-Trust,test,vmnet1.100 L2-Trust,vmnet8,vmnet8.host L2-Trust,vmnet8,vmnet8.dns ■applicationのCSVを取得。 単純化のために、[application-protocol]等を見出しにはしない方針とした。 $ ssh 172.16.76.203 "show configuration applications" | \ awk '{printf $0}' | \ sed -e 's/}/\n/g' -e 's/ {\|;/,/g' -e 's/ *//g' | \ awk '/^application /{gsub(/^application /,"");gsub(/,$/,"");print}' proxy_3128,application-protocol http,protocol tcp,destination-port 3128,inactivity-timeout 1800 proxy_8080,application-protocol http,protocol tcp,destination-port 8080,inactivity-timeout 1800 ■application-setのCSVを取得 $ ssh 172.16.76.203 "show configuration applications" | \ awk '{printf $0}' | \ sed -e 's/}/\n/g' -e 's/ {\|;/,/g' -e 's/ *//g' | \ awk '/^application-set /{gsub(/^application-set /,"");gsub(/application /,"");gsub(/,$/,"");print}' from-proxy,junos-http,junos-https,junos-ftp,junos-dns-tcp,junos-dns-udp,junos-ntp,junos-whois ■policiesのCSVを取得 これはズレる可能性が多いにあるし、 実際に2つしかないポリシーで既にズレている。 ここは深追いしないことにする。 $ ssh 172.16.76.203 "show configuration security policies" | \ awk '{printf $0}' | \ sed -e 's/}/\n/g' -e 's/ {\|;/,/g' -e 's/ *//g' | \ awk '{gsub(/match,/,"match ");gsub(/,$/,";");print}' | \ awk '{printf $0}' | \ sed -e 's/then,/,then /g' -e 's/;/\n/g' from-zone L3-Untrust to-zone L3-Trust,policy allow-all-internal,match source-address any,destination-address any,application any ,then permit from-zone L3-Untrust to-zone L2-Trust,policy pass_proxy_3128,match source-address any,destination-address vmnet8.100,application proxy_3128 ,then permit,log,session-init from-zone L2-Trust to-zone L3-Untrust,policy pass_from_proxy,match source-address vmnet8.100,destination-address any,application from-proxy ,then permit,log,session-init