Checkpoint to Palo Alto migration

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Checkpoint to Palo Alto migration

L0 Member

Hello Expert,

 

We are planing to migrate our current checkpoint platform R80 to Palo Alto firewall. I have gone through articles indicating the migration and would like to understand will Expedition tool migrates the NAT and VPN configuration too from checkpoint to palo alto.

 

Your early response will be highly appreciated.

 

Thanks in advance.

7 REPLIES 7

L5 Sessionator

NAT rules are already supported, but not VPN yet.

 

Notice that for Checkpoint R80.10 in XML format may be missing some address objects if those are not directly referenced in the security rules or NAT rules, but only in other groups. That means that it may not be able to perform a complete migration as objects may not be found. 

Is there an update?  

1. Is there a way to pull the VPN config from Checkpoint R80 (.jar file does not) and

2. Can Expedition migrate the VPN configuration?

D. Elliott

Hello Doug-Elliott,

 

Checkpoint VPN config migration is not supported at current version.

I wanted to see if there was an update to this topic. Looking to move from CP R80.40 to PA 10.4.2-h2. I looked through the release notes, but did not see anything about it. Just wanted to see if I overlooked something.

@DarrenVallance VPN for checkpoint migration is still not supported at this point. 

L0 Member

Can someone explain the process of migrating check-point to palo alto version 81.20..

Hi @M.Singh695310 

 

Thanks for reaching out.

 

The steps are the following ones:

 

1) You export your configuration from your current Checkpoint. See here how to do that: https://pan.dev/expedition/docs/expedition_export/#checkpoint--r80x

2) You login to Expedition UI.

3) You create a new project.

4) You go to import tab, select Checkpoint R80+.

5) You select your downloaded/generated file (*.tar.gz) and click on import.

6) You can monitor the import process by tailing the file (/tmp/error). Execute via CLI "tail -f /tmp/error".

7) After the import process Expedition will show the project Dashboard with a summary of the migrated objects. It is important to check the number of migrated objects and also check the tab Monitor taht contains a checklist of all actions taken by Expedition during the migration.

8 ) At this point you will need to go over your migration workflow removing invalids, duplicates and other issues pointed on the Monitor checklist.

9) After that you will need to merge your Checkpoint configuration with your base config using the drag and drop on the Export tab.

 

Let me share with you a set of videos explaining the migration workflow using as an example a CISCO configuration.

For your use case the steps will be the same, except the parser that will be Checkpoint:

https://www.youtube.com/playlist?list=PLD6FJ8WNiIqVez8EBeoyRsnQcKTA5FuZ-

 

Hope this helps,

 

David

  • 6813 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!