Migration from Check Point to PAN

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Migration from Check Point to PAN

L4 Transporter

Hi all,

is there a "Tool" to convert a Check Point Config (security policies etc.) to a PAN Firewall ?

kind rgds

Roland

23 REPLIES 23

L2 Linker

I had the same questions when we converted from PIX to PAN in April 2009.  No such tool existed then.  We wrote our own Perl scripts to convert the PIX names, port-objects, and object-groups into equivalent PANOS statements. That eliminated a lot of grunt work.

PAN security policies that take advantage of PAN capabilities are substantially different from what our PIX firewall had.  No effort was made to auto-convert the PIX ACLs, but we did use tools to optimize and pretty-print the PIX ACLs prior to creating PAN security policies.

L4 Transporter

Roland,

Such a tool does exist but you will need to contact your local SE for access to it.

~Phil

Hi Phil,

indeed I have already received the tool from the SE in Germany.

rgds

Roland

I've been working on a couple of projects with the migration tool for CP-to-PAN and find it an interesting challenge. If you have both the time and inclination to share your experience, please do tell.

Kind regards,

Jeff

I don't have CP experience and am only familiar with PIX and Juniper.

Our PAN migration from PIX greatly benefited from having a pair of PIX installed in a failover setup.  That made it much easier wire in the new PAN firewalls without any interruption.  And, the ability to easily switch back to a functional PIX firewall provided a nice contingency plan. After the migration and cleanup, our high-availability PAN setup was done without any service interruptions.

Make sure that your new security policies have an explicity default-deny stance.  Otherwise, the denies will not be logged, and it will be more difficult to see why traffic is not flowing.

if you like XML format, then use the Checkpoint Config Wizard (CPConfigWiz). This will take your SmartCenter config and make a XML version.  Now the data (Objects, FW Rules, NAT Rules) are easy to move around.

Just remember to create NAT rules in the PA for all of the objects with Automatic NAT in the Checkpoint.

You can grab the Config Wizard from support.checkpoint.com

Not applicable

I wished Palo Alto would have published the existence of said tool and/or posted it in the community for use.

Would have saved time in recreating all the objects.

L4 Transporter

Hello all,

I have received the migration tool. It's a vmware image and you can fire it up VMware Player for example. It supports converting Firewall configs from Check Point , Cisco (PIX,ASA,FWSM) and Netscreen.

I haven't tested it until now, but it looks promising.

rgds

Roland

Hi all,

We do have a migration tools which we support config migration from PIX/IOS, Junos/ScreenOS and Checkpoint < R70 migration. Howev er, as there is no 100% migration (don't think there is any perfect migration tool no matter what vendor you are migration to) and you also need to verify or revise the policy by experienced PAN certified SE, we don't publish it for general use. But you can always contact your SI as many of them already have knowledge on this tool and probably it is better for you to work with them to migrate your policy.

Regards,

Jones

Hi Jones,

thanks for the info. I wasn't aware this tool supports only CP <R70. But this should be fine at the moment although R75 has just been released. I am not an enduser, we are a business partner, that's why we got the tool.

Is there a user manual for this migration utility ?

Since we have have a Check Point Firewall in the Lab I have the possibilty to test the migration tool without risk.

rgds

Roland

Hi Roland,

Yes we have a simple doc but I would recommend you to request for a briefing from the local SE or distributor before you use it.

Does "Migration Tool" support also migration of Cisco Router ACL?

I think not but I try anyway to ask you 🙂

Thanks

The tool doesn't do conversion for Cisco Router ACL's as it's primary focus is firewall conversions.  However, if you're good with scripting or script manipulations, it probably wouldn't be too hard to convert these to an xml format that you could import into PAN.  Router ACL's don't have a lot of fields to manipulate so that may make the task a little simpler.

Thanks, but I was reading "Firewall Configuration Migration Tool Datasheet" when there's written:

Cisco PIX (6.x, 7.x, 8.x)

Cisco ASA (7.x, 8.0, 8.1)

Cisco IOS (11.x and newer, extended ACL's only)

So, I thought that Cisco router's ACL (Cisco IOS) could be supported when configured in "extended format".

Am I wrong?

Thanks

  • 12071 Views
  • 23 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!