I am trying to migrate checkpoint configs to ASA 5585 using SCT tool, this tool asking me to feed it *.W file from checkpoint which is suppose to be a rule definition file on CP, but I cant find it, does anybody have any clues on this ?
Thanks Kureli, but I already have SCT, if you read my concern carefully above was that the the SCT tool require to feed it *.W (rule def. file from checkpoint), this file is not present on the config directory of checkpoint, has anybody run into such issue ?
Another quick question, has the new tool ASAM replaced SCT ?
Yes that is correct. ASAM was introduced in Mar 2011. ASAM version 1.4 was released in July 2011.
From the check point configuration files, you should have:
- Object definition file - This file contains the object deninition for CP firewall. The file name is objects.C
- Policy and Rule Definition File - This file contains the policy and rule definition for CP firewall. The file name is
- (optional) FWS file - This file is stored in the management system and contains the rule comments. The file name is rulebases.fws or rulebases_5_0.fws.
I am not sure why you do not see .W file.
Yeah..I was able to extract all the files from checkpoint but cant find .w file, will look into it but if someone has ran into such issue please share. Ok..so ASAM is a next gen SCT that has replaced SCT. Is it available for partners on CCO.? have you ever used it ?
Sorry. Had been too busy lately.
SCT tool is available online to download which you already have. The ASA M tool appears to be internal only and you would have to reach out to your local Advance Services Team to be able to use it.
Reach out to them and see if they can assist you further. Personally I haven't used either one of them.
ASAM is not a tool. You cannot download it.
SCT in it's current version is all that is available for download from Cisco. There is no update to SCT and there are no plans to update SCT further. It was developed a long time ago and doesn't consider any of the newer Check Point releases, nor does it have capabilities for the new ASA platforms. Your discussion above about the requirement for the .W file is related to how SCT was developed. When trying to migrate from Check Point to Cisco. The Data Collection Methodology is very critical. You must have all the correct files related to your Check Point firewall to start your process. The Cisco Advanced Services -World Wide Security Services Practice is currently the delivery vehicle that utilized our migration services.
Here is my 2c about SCT:
I have work with Checkpoint firewall for about ten years on a daily basis so I like to think that I know check point well but I can not say I am a checkpoint expert. I've worked with the Pix/ASA for about ten years as well but not on a daily basis.
About five years ago, a place where I used to work, a service provider, has a big Checkpoint environment and they would like to offer customers other firewalls such as Juniper and Cisco, in addition to Checkpoint. At the time, I thought this is
a good idea because I just completed my CCIE security
There are customers who would like to migrate from Checkpoint to Pix/ASA but they have very complex policies with asymetrical routing on the Checkpoint firewalls.
At the time, Cisco has provided me with the SCT tool so that I can convert rule base from Checkpoint to Pix/ASA configuration. They actually assigned a Cisco SE to work with me on a daily basis for almost four week. I think back late 2005 and 2006, SCT was just released then.
Long story short, the conversion from Checkpoint to ASA is nothing but a nightmare. We have a checkpoint policy with about 200 rules but with about 12 interfaces. The SCT converted it into 950,000 lines in the configuration. This is due to the fact checkpoint has no concept of security level on the interface but ASA does. Not only that, the SCT tool can not convert the domain object from checkpoint and it does not do "negated" rules in Checkpoint. The Network Address Translation (NAT) is also a complete nightmare. And we're not even getting into the SmartDefense/IPS in checkpoint. SCT can not support that feature either. We had another instance where the SCT converts another policy to about 1.5 million of lines and it is only half-way through.
I don't think any firewall administrators would want to manage a configuration with 950,000 lines in it, do you?
Long story short, SCT is only useful if you have a handful of checkpoint rule with simple NAT. Otherwise, it is not usable. I am not sure if SCT was written by folks with extensive Checkpoint experience. My impression is that it is not but then I could be wrong
There is a product out there, if I remember correctly, that does the same thing that SCT does but much better from a french company call SolSoft.
I assume "ASAM" is a service and not a tool from Cisco?
In direct response to your 5-6 year old view of both the PIX/ASA and the SCT application. You are reasonably close to some of the problems. So I as well do not recommend SCT and it's usage unless (as you said) you have a small and uncomplicated policy. That being said, I would say that although SCT has not been upgrade or improved on since that time, the ASA policy capabilities and the sofware have. So the ability to migrate can be much less complex when using some of the newer ASA capabilities.
As for SolSoft, or as it was call Exaprotect before acquisition by LogLogic in 2009. It too had a problem with generation of large policies similar to what you stated earlier due to the PIX/ASA policy and capabilities at that time.
And yes the ASAM or ASA Migration portal is an internal Service delivery platform for current consulting services engagements. It's features and functionality are far reaching in aiding in the delivery of migration services for our Cisco engineers. And it does not have issues with quite large and complex policies. I personally have delivered devices from CP that are of ~2,000-3,000 rules and many interfaces. One of which had over 50.
Hope this helps
"In direct response to your 5-6 year old view of both the PIX/ASA and the SCT application.
You are reasonably close to some of the problems."
I just ran the same test one week ago using SCT with a Checkpoint security policy with
about 300 rules and about 10 interfaces including complex NAT. Well, the conversion did
not go well at all. I still standby what I said earlier.
"And yes the ASAM or ASA Migration portal is an internal Service delivery platform
for current consulting services engagements. It's features and functionality are
far reaching in aiding in the delivery of migration services for our Cisco engineers.
And it does not have issues with quite large and complex policies.
I personally have delivered devices from CP that are of ~2,000-3,000 rules and many
interfaces. One of which had over 50."
I hate to say this but this sound very much like marketing from a sale engineer. One of the most difficult
part of converting CP to ASA policy is the NAT rules. If you have very complex NAT rules in CP,
I am not sure how the ASAM will handle this. It sound to me like the ASAM is a combination
of SCT and consulting services engagement combined.
The other thing is how ASAM will convert the SmartDefense/IPS from CP into ASA policy.
The other thing is that in Checkpoint policy, you will have asymetric routing and "partial"
anti-spoofing. How will ASAM handle that?
I would love to see how this ASAM work for the CP to ASA conversion process. If this works,
it is a fantastic idea but it just seems too good to be true.
Here is the new self-service tool that Cisco has released to convert to any vendor firewalls to Cisco ASA.
Currently it supports Juniper ScreenOS and CheckPoint to Cisco ASA conversion.
Link to the original post:
Link to the tool itself:
The URL https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk30765 , this solution has been removed from the Check Point site.