Migration from Check Point to PAN

Reply
Highlighted
L4 Transporter

Migration from Check Point to PAN

Hi all,

is there a "Tool" to convert a Check Point Config (security policies etc.) to a PAN Firewall ?

kind rgds

Roland

Highlighted
L2 Linker

I had the same questions when we converted from PIX to PAN in April 2009.  No such tool existed then.  We wrote our own Perl scripts to convert the PIX names, port-objects, and object-groups into equivalent PANOS statements. That eliminated a lot of grunt work.

PAN security policies that take advantage of PAN capabilities are substantially different from what our PIX firewall had.  No effort was made to auto-convert the PIX ACLs, but we did use tools to optimize and pretty-print the PIX ACLs prior to creating PAN security policies.

Highlighted
L4 Transporter

Roland,

Such a tool does exist but you will need to contact your local SE for access to it.

~Phil

Highlighted
L4 Transporter

Hi Phil,

indeed I have already received the tool from the SE in Germany.

rgds

Roland

Highlighted
Not applicable

I've been working on a couple of projects with the migration tool for CP-to-PAN and find it an interesting challenge. If you have both the time and inclination to share your experience, please do tell.

Kind regards,

Jeff

Highlighted
L2 Linker

I don't have CP experience and am only familiar with PIX and Juniper.

Our PAN migration from PIX greatly benefited from having a pair of PIX installed in a failover setup.  That made it much easier wire in the new PAN firewalls without any interruption.  And, the ability to easily switch back to a functional PIX firewall provided a nice contingency plan. After the migration and cleanup, our high-availability PAN setup was done without any service interruptions.

Make sure that your new security policies have an explicity default-deny stance.  Otherwise, the denies will not be logged, and it will be more difficult to see why traffic is not flowing.

Highlighted
L1 Bithead

if you like XML format, then use the Checkpoint Config Wizard (CPConfigWiz). This will take your SmartCenter config and make a XML version.  Now the data (Objects, FW Rules, NAT Rules) are easy to move around.

Just remember to create NAT rules in the PA for all of the objects with Automatic NAT in the Checkpoint.

You can grab the Config Wizard from support.checkpoint.com

Highlighted
Not applicable

I wished Palo Alto would have published the existence of said tool and/or posted it in the community for use.

Would have saved time in recreating all the objects.

Highlighted
L4 Transporter

Hello all,

I have received the migration tool. It's a vmware image and you can fire it up VMware Player for example. It supports converting Firewall configs from Check Point , Cisco (PIX,ASA,FWSM) and Netscreen.

I haven't tested it until now, but it looks promising.

rgds

Roland

Highlighted
L4 Transporter

Hi all,

We do have a migration tools which we support config migration from PIX/IOS, Junos/ScreenOS and Checkpoint < R70 migration. Howev er, as there is no 100% migration (don't think there is any perfect migration tool no matter what vendor you are migration to) and you also need to verify or revise the policy by experienced PAN certified SE, we don't publish it for general use. But you can always contact your SI as many of them already have knowledge on this tool and probably it is better for you to work with them to migrate your policy.

Regards,

Jones

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!