01-24-2011 07:59 AM
I had the same questions when we converted from PIX to PAN in April 2009. No such tool existed then. We wrote our own Perl scripts to convert the PIX names, port-objects, and object-groups into equivalent PANOS statements. That eliminated a lot of grunt work.
PAN security policies that take advantage of PAN capabilities are substantially different from what our PIX firewall had. No effort was made to auto-convert the PIX ACLs, but we did use tools to optimize and pretty-print the PIX ACLs prior to creating PAN security policies.
01-24-2011 07:59 AM
Roland,
Such a tool does exist but you will need to contact your local SE for access to it.
~Phil
01-25-2011 05:32 AM
Hi Phil,
indeed I have already received the tool from the SE in Germany.
rgds
Roland
01-26-2011 07:29 AM
I've been working on a couple of projects with the migration tool for CP-to-PAN and find it an interesting challenge. If you have both the time and inclination to share your experience, please do tell.
Kind regards,
Jeff
01-26-2011 07:55 AM
I don't have CP experience and am only familiar with PIX and Juniper.
Our PAN migration from PIX greatly benefited from having a pair of PIX installed in a failover setup. That made it much easier wire in the new PAN firewalls without any interruption. And, the ability to easily switch back to a functional PIX firewall provided a nice contingency plan. After the migration and cleanup, our high-availability PAN setup was done without any service interruptions.
Make sure that your new security policies have an explicity default-deny stance. Otherwise, the denies will not be logged, and it will be more difficult to see why traffic is not flowing.
01-26-2011 08:43 AM
if you like XML format, then use the Checkpoint Config Wizard (CPConfigWiz). This will take your SmartCenter config and make a XML version. Now the data (Objects, FW Rules, NAT Rules) are easy to move around.
Just remember to create NAT rules in the PA for all of the objects with Automatic NAT in the Checkpoint.
You can grab the Config Wizard from support.checkpoint.com
01-26-2011 05:31 PM
I wished Palo Alto would have published the existence of said tool and/or posted it in the community for use.
Would have saved time in recreating all the objects.
01-28-2011 07:30 AM
Hello all,
I have received the migration tool. It's a vmware image and you can fire it up VMware Player for example. It supports converting Firewall configs from Check Point , Cisco (PIX,ASA,FWSM) and Netscreen.
I haven't tested it until now, but it looks promising.
rgds
Roland
01-28-2011 10:49 PM
Hi all,
We do have a migration tools which we support config migration from PIX/IOS, Junos/ScreenOS and Checkpoint < R70 migration. Howev er, as there is no 100% migration (don't think there is any perfect migration tool no matter what vendor you are migration to) and you also need to verify or revise the policy by experienced PAN certified SE, we don't publish it for general use. But you can always contact your SI as many of them already have knowledge on this tool and probably it is better for you to work with them to migrate your policy.
Regards,
Jones
01-29-2011 12:00 AM
Hi Jones,
thanks for the info. I wasn't aware this tool supports only CP <R70. But this should be fine at the moment although R75 has just been released. I am not an enduser, we are a business partner, that's why we got the tool.
Is there a user manual for this migration utility ?
Since we have have a Check Point Firewall in the Lab I have the possibilty to test the migration tool without risk.
rgds
Roland
01-29-2011 01:04 AM
Hi Roland,
Yes we have a simple doc but I would recommend you to request for a briefing from the local SE or distributor before you use it.
01-31-2011 08:35 AM
Does "Migration Tool" support also migration of Cisco Router ACL?
I think not but I try anyway to ask you 🙂
Thanks
01-31-2011 09:53 AM
The tool doesn't do conversion for Cisco Router ACL's as it's primary focus is firewall conversions. However, if you're good with scripting or script manipulations, it probably wouldn't be too hard to convert these to an xml format that you could import into PAN. Router ACL's don't have a lot of fields to manipulate so that may make the task a little simpler.
01-31-2011 10:18 AM
Thanks, but I was reading "Firewall Configuration Migration Tool Datasheet" when there's written:
Cisco PIX (6.x, 7.x, 8.x)
Cisco ASA (7.x, 8.0, 8.1)
Cisco IOS (11.x and newer, extended ACL's only)
So, I thought that Cisco router's ACL (Cisco IOS) could be supported when configured in "extended format".
Am I wrong?
Thanks
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
