Checkpoint to Palo Alto

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Checkpoint to Palo Alto

L1 Bithead

Hello,

 

I'm working on migrating a Checkpoint Firewall running R.81 to a Palo Alto using Expedition and after a few attempts and failures I started digging deeper into the objects configured on the Checkpoint. There are multiple "Domain Objects" which start with a "." and then followed by domain. Unfortunately FQDN objects in Palo Alto do not support that, so the migrated objects while pushed are actually invalid. These domain objects are used in the security policy as a Source or Destination. The report suggests converting to a Custom URL Category but would that work as a source? Would an EDL be a better option? Or is there another option?

 

My other challenge is there are "Updatable Objects" which I think is a mix of Application / EDL which is maintained by Checkpoint for specific applications and services and dynamically updated with "wildcard" domains and networks.

 

Has anyone migrated a Checkpoint recently with similar objects being used in the security policy and if so how did you replicate the same type of functionality since Palo Alto doesn't support either by default...

 

And is there a configuration example guide or something for exactly how you would format or enter in XML different configuration options in Expedition to push? I was able to figure out how to define a Custom URL Category but so far have failed to correct get the right commands/syntax for Log Forwarding...

 

Thank you,

James

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

I'm working on migrating a Checkpoint Firewall running R.81 to a Palo Alto using Expedition and after a few attempts and failures I started digging deeper into the objects configured on the Checkpoint. There are multiple "Domain Objects" which start with a "." and then followed by domain. Unfortunately FQDN objects in Palo Alto do not support that, so the migrated objects while pushed are actually invalid. These domain objects are used in the security policy as a Source or Destination. The report suggests converting to a Custom URL Category but would that work as a source? Would an EDL be a better option? Or is there another option?

PAN doesn't support wildcard FQDN objects which is effectively what Checkpoint is doing there. You wouldn't use the custom URL category as a source, but rather set it as a condition on the security entry to match the traffic. Without knowing how it was being used, we can't really say if that would behave the same or not. I would recommend using an EDL if these are things that will being changing frequently solely because it allows updates without actively committing changes on the firewall.


And is there a configuration example guide or something for exactly how you would format or enter in XML different configuration options in Expedition to push? I was able to figure out how to define a Custom URL Category but so far have failed to correct get the right commands/syntax for Log Forwarding...


If there is on that exists outside of PAN, I've never come across it. The easiest way to get this is to have a lab device of some sort that you can make the desired configuration so you can see what it actually sets, and then utilize that information going forward. You can even do this on production equipment if it's the only thing that's available since you can just reset to running to clear out the changes you made.

The issue with trying to share an example of log-forwarding is that it'll vary depending on what you actually need to set. Here's a really simple example to get started, the filter for capturing all logs is just <filter>All Logs</filter>

        <entry name="Example-Log-Forwarding">
          <match-list>
            <entry name="CredentialSubmission">
              <send-email>
                <member>Alert-SecOps</member>
              </send-email>
              <send-syslog>
                <member>Prod-Graylog</member>
              </send-syslog>
              <send-http>
                <member>Teams-Alert</member>
                <member>Slack-Alert</member>
              </send-http>
              <log-type>url</log-type>
              <filter>(action eq continue)</filter>
            </entry>
          </match-list>
        </entry>

 

View solution in original post

2 REPLIES 2

Cyber Elite
Cyber Elite

I'm working on migrating a Checkpoint Firewall running R.81 to a Palo Alto using Expedition and after a few attempts and failures I started digging deeper into the objects configured on the Checkpoint. There are multiple "Domain Objects" which start with a "." and then followed by domain. Unfortunately FQDN objects in Palo Alto do not support that, so the migrated objects while pushed are actually invalid. These domain objects are used in the security policy as a Source or Destination. The report suggests converting to a Custom URL Category but would that work as a source? Would an EDL be a better option? Or is there another option?

PAN doesn't support wildcard FQDN objects which is effectively what Checkpoint is doing there. You wouldn't use the custom URL category as a source, but rather set it as a condition on the security entry to match the traffic. Without knowing how it was being used, we can't really say if that would behave the same or not. I would recommend using an EDL if these are things that will being changing frequently solely because it allows updates without actively committing changes on the firewall.


And is there a configuration example guide or something for exactly how you would format or enter in XML different configuration options in Expedition to push? I was able to figure out how to define a Custom URL Category but so far have failed to correct get the right commands/syntax for Log Forwarding...


If there is on that exists outside of PAN, I've never come across it. The easiest way to get this is to have a lab device of some sort that you can make the desired configuration so you can see what it actually sets, and then utilize that information going forward. You can even do this on production equipment if it's the only thing that's available since you can just reset to running to clear out the changes you made.

The issue with trying to share an example of log-forwarding is that it'll vary depending on what you actually need to set. Here's a really simple example to get started, the filter for capturing all logs is just <filter>All Logs</filter>

        <entry name="Example-Log-Forwarding">
          <match-list>
            <entry name="CredentialSubmission">
              <send-email>
                <member>Alert-SecOps</member>
              </send-email>
              <send-syslog>
                <member>Prod-Graylog</member>
              </send-syslog>
              <send-http>
                <member>Teams-Alert</member>
                <member>Slack-Alert</member>
              </send-http>
              <log-type>url</log-type>
              <filter>(action eq continue)</filter>
            </entry>
          </match-list>
        </entry>

 

Thank you very much for taking the time to respond. I do believe that using EDL would be the best approach for the DNS Domain Object from Checkpoint... Thank you for sharing an XML example, I will play with it and see if I can capture the specific settings I'm looking for and then template it out...

 

Thank you,

James

  • 1 accepted solution
  • 599 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!