This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Migration from Checkpoint R81.10 to PaloAlto

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Migration from Checkpoint R81.10 to PaloAlto

Sanjay_Ramaiah
L4 Transporter

‎07-18-2023 02:44 AM

Hi Team,

We need to migrate a cluster Checkpoint firewall to PaloAlto. We do not have any Zones configured in Checkpoint, but Palo should have Zones as it is zone based firewalls. May i know what is the best way to migrate? Any KB or guide that can give detailed info on migration from Checkpoint to Palo?

Regards,

Sanjay S

1 person had this problem.
0 Likes Likes
2 REPLIES 2

BPry
Cyber Elite
Cyber Elite

‎07-18-2023 06:09 AM

@Sanjay_Ramaiah,

You can use Expedition to help you perform the migration, or you can build out the configuration manually using the Checkpoint configuration as a reference. What you utilize really depends a lot on your own comfort and what you want to utilize.

Note that there's some differences in how you do this on what Checkpoint release you're currently running. I'd do some searches if you decide to utilize expedition as there's guides on getting the proper information for an expedition run if that's how you decide to do things. 

 

I'm partial to using the existing configuration as a baseline and "palotizing" the configuration with the existing configuration as a basis. This is also a good time to work with the requisite individuals to ensure that everything you're moving over is still needed, and that you aren't bringing across any stale rules or objects that aren't actually needed or utilized anymore. 

0 Likes Likes

TomYoung
Cyber Elite
Cyber Elite

‎07-19-2023 08:26 PM

Hi @Sanjay_Ramaiah ,

 

If the config is not too large and you may not do this again, it may be best to manually configure the PA.  Generally, you assign a zone to each interface on the Check Point.

 

If the migration is huge, then it will pay off to use Expedition.  https://live.paloaltonetworks.com/t5/expedition/ct-p/migration_tool  You can search on that page and find lots of discussions.  Here are a couple good ones you may like:

 

https://live.paloaltonetworks.com/t5/expedition-discussions/checkpoint-r80-10-migration-document/td-...

https://live.paloaltonetworks.com/t5/expedition-articles/migrating-checkpoint-r80-updated-on-decembe...

https://live.paloaltonetworks.com/t5/expedition-discussions/expedition-error-upload-tgz-checkpoint-r...

 

One thing that I really like about Expedition is the ability to clean up clutter that has accumulated over the years.  It does a great job of identifying unused configuration.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
  • 3971 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks