03-25-2008 01:16 AM - edited 03-11-2019 05:21 AM
Hi,
Has anyone any experience converting from their checkpoint firewall to a brand new FWSM blade.
Any advice or tips would be much appreciated.
03-25-2008 04:36 AM
What do you need to know?
1- Checkpoint configuration in traditional
or simplified mode?
2- NG, NG with AI R55 or NGx R60/R61/R62 or R65?
3- What level of HFA?
Please be more specific.
CCIE Security
03-25-2008 05:18 AM
1. Simplified mode
2.NGX R60 HFA_04, hotfix 604
3.Either 04 hotfix 604 if not then I'm unsure
I've started using SCT to convert the rules.
any other documents you can point me to before I test the conversion?
I will probably have more specific questions later on in the test.
03-25-2008 05:14 AM
One tip would be to get the SCT tool from Cisco that can convert your FW-1 rulebase/routing and such to a FWSM/ASA syntax, this can get you quite a bit of the way with the actual tedious work of converting between the two.
03-25-2008 07:26 AM
I've done checkpoint to Pix and FWSM firewall
rule about 10 times in the last two years and
I can say that the success is about 10%.
The SCT tool is completely useless. I've used
it back in 2005 when it was still in beta.
I remembered one time having to convert a checkpoint security two tier solution over
to Pix/ASA. There are about 80 rules in the
policy with a lot of group-objects, hosts,
network, services, and netsted group-objects.
and complex natting
I gave the checkpoint security policy to a
Cisco engineer to do the security conversion.
Two weeks later, he told me that the
configuration is about 450k lines long and
that he is only half way through the
checkpoint security policy. He loaded the
configuration into a Pix535 and the pix could
not handle it either.
When doing checkpoint to Cisco conversion,
there are several things to keep in mind:
1- are you using secondary on the Checkpoint
platform such as Nokia? If the answer is yes,
this is unworkable in Cisco, you will need
a new vlan for this.
2- do you have any "negate" rules in
checkpoint? If the answer is yes, this will
not work in Cisco,
3- do you have any "domain" object in the
security policy such as "mydomain.com"? If
the answer is yes, it will not work in cisco
either.
There are a lot of things that need to be
planned out before the conversion can take
place. When you convert from one firewall
platform to another one, there will be
architectual redesign whether you like it or
not.
SolSoft can help you with it but I am not sure
either. When I checked out their product
about 1.5 years ago, it still sucks, better
than Cisco SCT but still not where it should
be.
CCIE Security
03-25-2008 12:30 PM
Thank for your input, I understand you have the experience to back the talk.
I'am using secondary on the Checkpoint(Nokia) as our VPN gateway, can you ellaborate on what you mean by "you gonna need a new vlan"
Negate rules can be rewritten, I have about 20 odd.
I'm starting to begin to realise the redesign you mentioned, I have about 250 rules to convert and the topology has to change.
Just curious when you say success is about 10% is that with SCT or a full conversion?
03-25-2008 01:17 PM
Hi,
- Are you using secondary IP addresses on the Nokia? In other words,
do you have multiple ip addresses on the Nokia interfaces? If you
do, it will not work on the FWSM and you have create new VLAN for
this. Secondary IP addresses on the Nokia works the same way as
Cisco IOS routers.
- Negate rules can be written, yes, but it is not a simple things.
SCT tool couldn't do it either.
- Be careful with the FWSM. If I am not mistaken, it can have
a maximum of 65k lines in the configuration in single-context
mode and 128k lines in the configuration in multiple-context mode.
That is NOT a whole lot when you convert from Checkpoint to FWSM.
- When I mentioned 10%, I meant to say I did about 10 checkpoint
to Pix/ASA conversions and 1 out of 10 actually work. The other
9 was a mess. Customers were not very happy. The Cisco Engineers
helping with the project was a triple-CCIE and he could not
do it either. At the end, customer decided to stay with Nokia
and upgraded the Nokia to the IP2260.
Last but not least, if you have a lot of interfaces on the Nokia
and complex rules, the harder it will get. FWSM does NOT support
VPN either. You have to get a spa module for this.
Good luck to you.
CCIE security
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide