I had the same questions when we converted from PIX to PAN in April 2009. No such tool existed then. We wrote our own Perl scripts to convert the PIX names, port-objects, and object-groups into equivalent PANOS statements. That eliminated a lot of grunt work.
PAN security policies that take advantage of PAN capabilities are substantially different from what our PIX firewall had. No effort was made to auto-convert the PIX ACLs, but we did use tools to optimize and pretty-print the PIX ACLs prior to creating PAN security policies.
I've been working on a couple of projects with the migration tool for CP-to-PAN and find it an interesting challenge. If you have both the time and inclination to share your experience, please do tell.
I don't have CP experience and am only familiar with PIX and Juniper.
Our PAN migration from PIX greatly benefited from having a pair of PIX installed in a failover setup. That made it much easier wire in the new PAN firewalls without any interruption. And, the ability to easily switch back to a functional PIX firewall provided a nice contingency plan. After the migration and cleanup, our high-availability PAN setup was done without any service interruptions.
Make sure that your new security policies have an explicity default-deny stance. Otherwise, the denies will not be logged, and it will be more difficult to see why traffic is not flowing.
if you like XML format, then use the Checkpoint Config Wizard (CPConfigWiz). This will take your SmartCenter config and make a XML version. Now the data (Objects, FW Rules, NAT Rules) are easy to move around.
Just remember to create NAT rules in the PA for all of the objects with Automatic NAT in the Checkpoint.
You can grab the Config Wizard from support.checkpoint.com
I have received the migration tool. It's a vmware image and you can fire it up VMware Player for example. It supports converting Firewall configs from Check Point , Cisco (PIX,ASA,FWSM) and Netscreen.
I haven't tested it until now, but it looks promising.
We do have a migration tools which we support config migration from PIX/IOS, Junos/ScreenOS and Checkpoint < R70 migration. Howev er, as there is no 100% migration (don't think there is any perfect migration tool no matter what vendor you are migration to) and you also need to verify or revise the policy by experienced PAN certified SE, we don't publish it for general use. But you can always contact your SI as many of them already have knowledge on this tool and probably it is better for you to work with them to migrate your policy.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!