Thanks Kureli, but I already have SCT, if you read my concern carefully above was that the the SCT tool require to feed it *.W (rule def. file from checkpoint), this file is not present on the config directory of checkpoint, has anybody run into such issue ?

Another quick question, has the new tool ASAM replaced SCT ?

-regards

A.B

Yes that is correct.  ASAM was introduced in Mar 2011. ASAM version 1.4 was released in July 2011.

From the check point configuration files, you should have:

- Object definition file - This file contains the object deninition for CP firewall. The file name is objects.C

- Policy and Rule Definition File - This file contains the policy and rule definition for CP firewall. The file name is .W

- (optional) FWS file - This file is stored in the management system and contains the rule comments. The file name is rulebases.fws or rulebases_5_0.fws.

I am not sure why you do not see .W file.

-Kureli

Yeah..I was able to extract all the files from  checkpoint but cant find .w file, will look into it but if someone has ran into such issue please share. Ok..so ASAM is a next  gen SCT  that has replaced SCT. Is it available for partners on CCO.?  have you ever used it ?

Hi Poonguzhali Sankar,

Where can i download or get ASAM? It is quite urgent. Thanks.

Kureli..you mentioned about ASAM..where can we download it from.? Its kinda urgent for us....

Hi-

I don't have the direct link, but I have the program and can FTP it to you. Let me know, thanks.

Can you email that to me..?

Hi Jean,

Thanks. Could you send it to my email or any service like http://www.yousendit.com/

Thanks.

Sorry. Had been too busy lately. 

SCT tool is available online to download which you already have. The ASA M tool appears to be internal only and you would have to reach out to your local Advance Services Team to be able to use it.

Reach out to them and see if they can assist you further.  Personally I haven't used either one of them.

-Kureli

Here is my 2c about SCT:

I have work with Checkpoint firewall for about ten years on a daily basis so I like to think that I know check point well but I can not say I am a checkpoint expert.  I've worked with the Pix/ASA for about ten years as well but not on a daily basis.

About five years ago, a place where I used to work, a service provider, has a big Checkpoint environment and they would like to offer customers other firewalls such as Juniper and Cisco, in addition to Checkpoint.  At the time, I thought this is

a good idea because I just completed my CCIE security

There are customers who would like to migrate from Checkpoint to Pix/ASA but they have very complex policies with asymetrical routing on the Checkpoint firewalls. 

At the time, Cisco has provided me with the SCT tool so that I can convert rule base from Checkpoint to Pix/ASA configuration.  They actually assigned a Cisco SE to work with me on a daily basis for almost four week.  I think back late 2005 and 2006, SCT was just released then.

Long story short, the conversion from Checkpoint to ASA is nothing but a nightmare.  We have a checkpoint policy with about 200 rules but with about 12 interfaces.  The SCT converted it into 950,000 lines in the configuration.  This is due to the fact checkpoint has no concept of security level on the interface but ASA does.  Not only that, the SCT tool can not convert the domain object from checkpoint and it does not do "negated" rules in Checkpoint.  The Network Address Translation (NAT) is also a complete nightmare.  And we're not even getting into the SmartDefense/IPS in checkpoint.  SCT can not support that feature either. We had another instance where the SCT converts another policy to about 1.5 million of lines and it is only half-way through.

I don't think any firewall administrators would want to manage a configuration with 950,000 lines in it, do you?

Long story short, SCT is only useful if you have a handful of checkpoint rule with simple NAT.  Otherwise, it is not usable.  I am not sure if SCT was written by folks with extensive Checkpoint experience.  My impression is that it is not but then I could be wrong

There is a product out there, if I remember correctly, that does the same thing that SCT does but much better from a french company call SolSoft.

I assume "ASAM" is a service and not a tool from Cisco?

In direct response to your 5-6 year old view of both the PIX/ASA and the SCT application.  You are reasonably close to some of the problems.  So I as well do not recommend SCT and it's usage unless (as you said) you have a small and uncomplicated policy.  That being said, I would say that although SCT has not been upgrade or improved on since that time, the ASA policy capabilities and the sofware have.   So the ability to migrate can be much less complex when using some of the newer ASA capabilities.

As for SolSoft, or as it was call Exaprotect before acquisition by LogLogic in 2009.  It too had a problem with generation of large policies similar to what you stated earlier due to the PIX/ASA policy and capabilities at that time.

And yes the ASAM or ASA Migration portal is an internal Service delivery platform for current consulting services engagements.  It's features and functionality are far reaching in aiding in the delivery of migration services for our Cisco engineers.  And it does not have issues with quite large and complex policies.  I personally have delivered devices from CP that are of ~2,000-3,000 rules and many interfaces.  One of which had over 50.

Hope this helps

"In direct response to your 5-6 year old view of both the PIX/ASA and the SCT application. 

You are reasonably close to some of the problems."

I just ran the same test one week ago using SCT with a Checkpoint security policy with

about 300 rules and about 10 interfaces including complex NAT.  Well, the conversion did

not go well at all.  I still standby what I said earlier.

"And yes the ASAM or ASA Migration portal is an internal Service delivery platform

for current consulting services engagements.  It's features and functionality are

far reaching in aiding in the delivery of migration services for our Cisco engineers. 

And it does not have issues with quite large and complex policies. 

I personally have delivered devices from CP that are of ~2,000-3,000 rules and many

interfaces.  One of which had over 50."

I hate to say this but this sound very much like marketing from a sale engineer.  One of the most difficult

part of converting CP to ASA policy is the NAT rules.  If you have very complex NAT rules in CP,

I am not sure how the ASAM will handle this.  It sound to me like the ASAM is a combination

of SCT and consulting services engagement combined. 

The other thing is how ASAM will convert the SmartDefense/IPS from CP into ASA policy.

The other thing is that in Checkpoint policy, you will have asymetric routing  and "partial"

anti-spoofing.  How will ASAM handle that?

I would love to see how this ASAM work for the CP to ASA conversion process. If this works,

it is a fantastic idea but it just seems too good to be true.