Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Cisco Employee

checkpoint to ASA migration

I am trying to migrate checkpoint configs to ASA 5585 using SCT tool, this tool asking me to feed it *.W file from checkpoint which is suppose to be a rule definition file on CP, but I cant find it, does anybody have any clues on this ?

-regards

AB

16 REPLIES
Cisco Employee

checkpoint to ASA migration

Here is a .pdf:

Here is the SCT/PPT:

I hope the above two links will help you.

-Kureli

Cisco Employee

checkpoint to ASA migration

Thanks Kureli, but I already have SCT, if you read my concern carefully above was that the the SCT tool require to feed it *.W (rule def. file from checkpoint), this file is not present on the config directory of checkpoint, has anybody run into such issue ?

Another quick question, has the new tool ASAM replaced SCT ?

-regards

A.B

Cisco Employee

checkpoint to ASA migration

Yes that is correct.  ASAM was introduced in Mar 2011. ASAM version 1.4 was released in July 2011.

From the check point configuration files, you should have:

- Object definition file - This file contains the object deninition for CP firewall. The file name is objects.C

- Policy and Rule Definition File - This file contains the policy and rule definition for CP firewall. The file name is .W

- (optional) FWS file - This file is stored in the management system and contains the rule comments. The file name is rulebases.fws or rulebases_5_0.fws.

I am not sure why you do not see .W file.

-Kureli

Cisco Employee

checkpoint to ASA migration

Yeah..I was able to extract all the files from  checkpoint but cant find .w file, will look into it but if someone has ran into such issue please share. Ok..so ASAM is a next  gen SCT  that has replaced SCT. Is it available for partners on CCO.?  have you ever used it ?

New Member

checkpoint to ASA migration

Hi Poonguzhali Sankar,

Where can i download or get ASAM? It is quite urgent. Thanks.

Cisco Employee

checkpoint to ASA migration

Kureli..you mentioned about ASAM..where can we download it from.? Its kinda urgent for us....

New Member

checkpoint to ASA migration

Hi-

I don't have the direct link, but I have the program and can FTP it to you. Let me know, thanks.

Cisco Employee

checkpoint to ASA migration

Can you email that to me..?

New Member

checkpoint to ASA migration

Hi Jean,

Thanks. Could you send it to my email or any service like http://www.yousendit.com/

Thanks.

Cisco Employee

checkpoint to ASA migration

Sorry. Had been too busy lately. 

SCT tool is available online to download which you already have. The ASA M tool appears to be internal only and you would have to reach out to your local Advance Services Team to be able to use it.

Reach out to them and see if they can assist you further.  Personally I haven't used either one of them.

-Kureli

New Member

checkpoint to ASA migration

ASAM is not a tool.  You cannot download it.

SCT in it's current version is all that is available for download from Cisco.  There is no update to SCT and there are no plans to update SCT further.  It was developed a long time ago and doesn't consider any of the newer Check Point releases, nor does it have capabilities for the new ASA platforms.  Your discussion above about the requirement for the .W file is related to how SCT was developed.  When trying to migrate from Check Point to Cisco.  The Data Collection Methodology is very critical.  You must have all the correct files related to your Check Point firewall to start your process.  The Cisco Advanced Services -World Wide Security Services Practice is currently the delivery vehicle that utilized our migration services.

-Mark

Bronze

checkpoint to ASA migration

Here is my 2c about SCT:

I have work with Checkpoint firewall for about ten years on a daily basis so I like to think that I know check point well but I can not say I am a checkpoint expert.  I've worked with the Pix/ASA for about ten years as well but not on a daily basis.

About five years ago, a place where I used to work, a service provider, has a big Checkpoint environment and they would like to offer customers other firewalls such as Juniper and Cisco, in addition to Checkpoint.  At the time, I thought this is

a good idea because I just completed my CCIE security

There are customers who would like to migrate from Checkpoint to Pix/ASA but they have very complex policies with asymetrical routing on the Checkpoint firewalls. 

At the time, Cisco has provided me with the SCT tool so that I can convert rule base from Checkpoint to Pix/ASA configuration.  They actually assigned a Cisco SE to work with me on a daily basis for almost four week.  I think back late 2005 and 2006, SCT was just released then.

Long story short, the conversion from Checkpoint to ASA is nothing but a nightmare.  We have a checkpoint policy with about 200 rules but with about 12 interfaces.  The SCT converted it into 950,000 lines in the configuration.  This is due to the fact checkpoint has no concept of security level on the interface but ASA does.  Not only that, the SCT tool can not convert the domain object from checkpoint and it does not do "negated" rules in Checkpoint.  The Network Address Translation (NAT) is also a complete nightmare.  And we're not even getting into the SmartDefense/IPS in checkpoint.  SCT can not support that feature either. We had another instance where the SCT converts another policy to about 1.5 million of lines and it is only half-way through.

I don't think any firewall administrators would want to manage a configuration with 950,000 lines in it, do you?

Long story short, SCT is only useful if you have a handful of checkpoint rule with simple NAT.  Otherwise, it is not usable.  I am not sure if SCT was written by folks with extensive Checkpoint experience.  My impression is that it is not but then I could be wrong

There is a product out there, if I remember correctly, that does the same thing that SCT does but much better from a french company call SolSoft.

I assume "ASAM" is a service and not a tool from Cisco?

New Member

checkpoint to ASA migration

In direct response to your 5-6 year old view of both the PIX/ASA and the SCT application.  You are reasonably close to some of the problems.  So I as well do not recommend SCT and it's usage unless (as you said) you have a small and uncomplicated policy.  That being said, I would say that although SCT has not been upgrade or improved on since that time, the ASA policy capabilities and the sofware have.   So the ability to migrate can be much less complex when using some of the newer ASA capabilities.

As for SolSoft, or as it was call Exaprotect before acquisition by LogLogic in 2009.  It too had a problem with generation of large policies similar to what you stated earlier due to the PIX/ASA policy and capabilities at that time.

And yes the ASAM or ASA Migration portal is an internal Service delivery platform for current consulting services engagements.  It's features and functionality are far reaching in aiding in the delivery of migration services for our Cisco engineers.  And it does not have issues with quite large and complex policies.  I personally have delivered devices from CP that are of ~2,000-3,000 rules and many interfaces.  One of which had over 50.

Hope this helps

Bronze

Re: checkpoint to ASA migration

"In direct response to your 5-6 year old view of both the PIX/ASA and the SCT application. 

You are reasonably close to some of the problems."

I just ran the same test one week ago using SCT with a Checkpoint security policy with

about 300 rules and about 10 interfaces including complex NAT.  Well, the conversion did

not go well at all.  I still standby what I said earlier.

"And yes the ASAM or ASA Migration portal is an internal Service delivery platform

for current consulting services engagements.  It's features and functionality are

far reaching in aiding in the delivery of migration services for our Cisco engineers. 

And it does not have issues with quite large and complex policies. 

I personally have delivered devices from CP that are of ~2,000-3,000 rules and many

interfaces.  One of which had over 50."

I hate to say this but this sound very much like marketing from a sale engineer.  One of the most difficult

part of converting CP to ASA policy is the NAT rules.  If you have very complex NAT rules in CP,

I am not sure how the ASAM will handle this.  It sound to me like the ASAM is a combination

of SCT and consulting services engagement combined. 

The other thing is how ASAM will convert the SmartDefense/IPS from CP into ASA policy.

The other thing is that in Checkpoint policy, you will have asymetric routing  and "partial"

anti-spoofing.  How will ASAM handle that?

I would love to see how this ASAM work for the CP to ASA conversion process. If this works,

it is a fantastic idea but it just seems too good to be true.

Cisco Employee

checkpoint to ASA migration

Here is the new self-service tool that Cisco has released to convert to any vendor firewalls to Cisco ASA.

Currently it supports Juniper ScreenOS and CheckPoint to Cisco ASA conversion.

Link to the original post:

https://supportforums.cisco.com/community/netpro/security/firewall/blog/2013/12/19/conversion-tool--checkpoint-fw-to-cisco-asa

Link to the tool itself:

https://fwmig.cisco.com

New Member

The URL https://supportcenter

4029
Views
0
Helpful
16
Replies
CreatePlease to create content