SRXの{address,service} {address,service}-set policiesのCSV出力

■SRXの{address,service} {address,service}-set policiesのCSV出力

$ echo {address,service} {address,service}-set policies
address service address-set service-set policies

■addressのCSVを取得
　descriptionを設定していないので、以下のように簡単に取り出せる。

$ ssh 172.16.76.203 "show configuration | display set | match \"address-book address \"" | \
    awk 'BEGIN{OFS=",";print "Zone,Name,IP/Subnet"}{print $5,$(NF-1),$NF}' > addresslist.csv

$ cat addresslist.csv 
Zone,Name,IP/Subnet
L3-Trust,vmnet1.100,172.16.76.100/32
L2-Trust,vmnet8.100,192.168.152.100/32
L2-Trust,vmnet8.host,192.168.152.1/32
L2-Trust,vmnet8.dns,192.168.152.2/32

■address-setのCSVを取得

$ ssh 172.16.76.203 "show configuration | display set | match \"address-book address-set \"" | \
    awk 'BEGIN{OFS=",";print "Zone,Name,IP/Subnet"}{print $5,$(NF-2),$NF}' > addressgrouplist.csv

$ cat addressgrouplist.csv 
Zone,Name,IP/Subnet
L3-Trust,test,vmnet1.100
L2-Trust,vmnet8,vmnet8.host
L2-Trust,vmnet8,vmnet8.dns

■applicationのCSVを取得。
　単純化のために、[application-protocol]等を見出しにはしない方針とした。

$ ssh 172.16.76.203 "show configuration applications" | \
    awk '{printf $0}' | \
    sed -e 's/}/\n/g' -e 's/ {\|;/,/g' -e 's/   *//g' | \
    awk '/^application /{gsub(/^application /,"");gsub(/,$/,"");print}'
proxy_3128,application-protocol http,protocol tcp,destination-port 3128,inactivity-timeout 1800
proxy_8080,application-protocol http,protocol tcp,destination-port 8080,inactivity-timeout 1800

■application-setのCSVを取得

$ ssh 172.16.76.203 "show configuration applications" | \
    awk '{printf $0}' | \
    sed -e 's/}/\n/g' -e 's/ {\|;/,/g' -e 's/   *//g' | \
    awk '/^application-set /{gsub(/^application-set /,"");gsub(/application /,"");gsub(/,$/,"");print}'
from-proxy,junos-http,junos-https,junos-ftp,junos-dns-tcp,junos-dns-udp,junos-ntp,junos-whois

■policiesのCSVを取得
　これはズレる可能性が多いにあるし、
　実際に2つしかないポリシーで既にズレている。
　ここは深追いしないことにする。

$ ssh 172.16.76.203 "show configuration security policies" | \
    awk '{printf $0}' | \
    sed -e 's/}/\n/g' -e 's/ {\|;/,/g' -e 's/   *//g' | \
    awk '{gsub(/match,/,"match ");gsub(/,$/,";");print}' | \
    awk '{printf $0}' | \
    sed -e 's/then,/,then /g' -e 's/;/\n/g'
from-zone L3-Untrust to-zone L3-Trust,policy allow-all-internal,match source-address any,destination-address any,application any
,then permit
from-zone L3-Untrust to-zone L2-Trust,policy pass_proxy_3128,match source-address any,destination-address vmnet8.100,application proxy_3128
,then permit,log,session-init
from-zone L2-Trust to-zone L3-Untrust,policy pass_from_proxy,match source-address vmnet8.100,destination-address any,application from-proxy
,then permit,log,session-init