- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
07-18-2023 02:44 AM
Hi Team,
We need to migrate a cluster Checkpoint firewall to PaloAlto. We do not have any Zones configured in Checkpoint, but Palo should have Zones as it is zone based firewalls. May i know what is the best way to migrate? Any KB or guide that can give detailed info on migration from Checkpoint to Palo?
Regards,
Sanjay S
07-18-2023 06:09 AM
You can use Expedition to help you perform the migration, or you can build out the configuration manually using the Checkpoint configuration as a reference. What you utilize really depends a lot on your own comfort and what you want to utilize.
Note that there's some differences in how you do this on what Checkpoint release you're currently running. I'd do some searches if you decide to utilize expedition as there's guides on getting the proper information for an expedition run if that's how you decide to do things.
I'm partial to using the existing configuration as a baseline and "palotizing" the configuration with the existing configuration as a basis. This is also a good time to work with the requisite individuals to ensure that everything you're moving over is still needed, and that you aren't bringing across any stale rules or objects that aren't actually needed or utilized anymore.
07-19-2023 08:26 PM
Hi @Sanjay_Ramaiah ,
If the config is not too large and you may not do this again, it may be best to manually configure the PA. Generally, you assign a zone to each interface on the Check Point.
If the migration is huge, then it will pay off to use Expedition. https://live.paloaltonetworks.com/t5/expedition/ct-p/migration_tool You can search on that page and find lots of discussions. Here are a couple good ones you may like:
One thing that I really like about Expedition is the ability to clean up clutter that has accumulated over the years. It does a great job of identifying unused configuration.
Thanks,
Tom
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!