checkpoint to FWSM conversion

Unanswered Question
Mar 25th, 2008


Has anyone any experience converting from their checkpoint firewall to a brand new FWSM blade.

Any advice or tips would be much appreciated.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
cisco24x7 Tue, 03/25/2008 - 04:36

What do you need to know?

1- Checkpoint configuration in traditional

or simplified mode?

2- NG, NG with AI R55 or NGx R60/R61/R62 or R65?

3- What level of HFA?

Please be more specific.

CCIE Security

770801tvdhaar Tue, 03/25/2008 - 05:18

1. Simplified mode

2.NGX R60 HFA_04, hotfix 604

3.Either 04 hotfix 604 if not then I'm unsure

I've started using SCT to convert the rules.

any other documents you can point me to before I test the conversion?

I will probably have more specific questions later on in the test.

jan.nielsen Tue, 03/25/2008 - 05:14

One tip would be to get the SCT tool from Cisco that can convert your FW-1 rulebase/routing and such to a FWSM/ASA syntax, this can get you quite a bit of the way with the actual tedious work of converting between the two.

cisco24x7 Tue, 03/25/2008 - 07:26

I've done checkpoint to Pix and FWSM firewall

rule about 10 times in the last two years and

I can say that the success is about 10%.

The SCT tool is completely useless. I've used

it back in 2005 when it was still in beta.

I remembered one time having to convert a checkpoint security two tier solution over

to Pix/ASA. There are about 80 rules in the

policy with a lot of group-objects, hosts,

network, services, and netsted group-objects.

and complex natting

I gave the checkpoint security policy to a

Cisco engineer to do the security conversion.

Two weeks later, he told me that the

configuration is about 450k lines long and

that he is only half way through the

checkpoint security policy. He loaded the

configuration into a Pix535 and the pix could

not handle it either.

When doing checkpoint to Cisco conversion,

there are several things to keep in mind:

1- are you using secondary on the Checkpoint

platform such as Nokia? If the answer is yes,

this is unworkable in Cisco, you will need

a new vlan for this.

2- do you have any "negate" rules in

checkpoint? If the answer is yes, this will

not work in Cisco,

3- do you have any "domain" object in the

security policy such as ""? If

the answer is yes, it will not work in cisco


There are a lot of things that need to be

planned out before the conversion can take

place. When you convert from one firewall

platform to another one, there will be

architectual redesign whether you like it or


SolSoft can help you with it but I am not sure

either. When I checked out their product

about 1.5 years ago, it still sucks, better

than Cisco SCT but still not where it should


CCIE Security

770801tvdhaar Tue, 03/25/2008 - 12:30

Thank for your input, I understand you have the experience to back the talk.

I'am using secondary on the Checkpoint(Nokia) as our VPN gateway, can you ellaborate on what you mean by "you gonna need a new vlan"

Negate rules can be rewritten, I have about 20 odd.

I'm starting to begin to realise the redesign you mentioned, I have about 250 rules to convert and the topology has to change.

Just curious when you say success is about 10% is that with SCT or a full conversion?

cisco24x7 Tue, 03/25/2008 - 13:17


- Are you using secondary IP addresses on the Nokia? In other words,

do you have multiple ip addresses on the Nokia interfaces? If you

do, it will not work on the FWSM and you have create new VLAN for

this. Secondary IP addresses on the Nokia works the same way as

Cisco IOS routers.

- Negate rules can be written, yes, but it is not a simple things.

SCT tool couldn't do it either.

- Be careful with the FWSM. If I am not mistaken, it can have

a maximum of 65k lines in the configuration in single-context

mode and 128k lines in the configuration in multiple-context mode.

That is NOT a whole lot when you convert from Checkpoint to FWSM.

- When I mentioned 10%, I meant to say I did about 10 checkpoint

to Pix/ASA conversions and 1 out of 10 actually work. The other

9 was a mess. Customers were not very happy. The Cisco Engineers

helping with the project was a triple-CCIE and he could not

do it either. At the end, customer decided to stay with Nokia

and upgraded the Nokia to the IP2260.

Last but not least, if you have a lot of interfaces on the Nokia

and complex rules, the harder it will get. FWSM does NOT support

VPN either. You have to get a spa module for this.

Good luck to you.

CCIE security


This Discussion