https://community.checkpoint.com/t5/SmartMove/Smartmove-not-optimizing-cisco-asa-policy/m-p/193124#M523 <P>We are moving from cisco ASA to checkpoint. We are using checkpoint smartmove tool to convert existing cisco asa configuration to checkpoint. But the smartmove does not optimize the the rules. Kindly see attached pic for more details.</P> Wed, 20 Sep 2023 05:16:56 GMT idc 2023-09-20T05:16:56Z https://community.checkpoint.com/t5/SmartMove/Smartmove-not-optimizing-cisco-asa-policy/m-p/193124#M523 <P>We are moving from cisco ASA to checkpoint. We are using checkpoint smartmove tool to convert existing cisco asa configuration to checkpoint. But the smartmove does not optimize the the rules. Kindly see attached pic for more details.</P> Wed, 20 Sep 2023 05:16:56 GMT https://community.checkpoint.com/t5/SmartMove/Smartmove-not-optimizing-cisco-asa-policy/m-p/193124#M523 idc 2023-09-20T05:16:56Z https://community.checkpoint.com/t5/SmartMove/Smartmove-not-optimizing-cisco-asa-policy/m-p/193126#M524 <P>SmartMove is not policy optimization tool, it is a migration tool.&nbsp;</P> Wed, 20 Sep 2023 06:29:47 GMT https://community.checkpoint.com/t5/SmartMove/Smartmove-not-optimizing-cisco-asa-policy/m-p/193126#M524 _Val_ 2023-09-20T06:29:47Z https://community.checkpoint.com/t5/SmartMove/Smartmove-not-optimizing-cisco-asa-policy/m-p/193133#M525 <P>SmartMove does optimize the policy <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>you can review the comments on the code:</P> <P><A href="https://raw.githubusercontent.com/CheckPointSW/SmartMove/master/CheckPointObjects/RuleBaseOptimizer.cs" target="_blank">https://raw.githubusercontent.com/CheckPointSW/SmartMove/master/CheckPointObjects/RuleBaseOptimizer.cs</A></P> <P>&nbsp;</P> <PRE> /// &lt;summary&gt; /// Optimizes the security policy rulebase by merging several rules from the same sub-policy into a single rule. /// Two rules can be merged into one rule if: /// 1. both rules have the same action, and /// 2. both rules are enabled or disabled, and /// 3. both rules have source and destination columns negated or not, and /// 4. both rules have the same time objects, and /// 5. either one of the following is true: /// 5.1. both the source and destination columns match /// 5.2. both the source and service columns match /// 5.3. both the destination and service columns match /// for CiscoASA and FirePower vendors there is an option to optimize by comments - /// two rules can be merged if they have the same comments and in addition they up to the above criteria. /// &lt;/summary&gt;</PRE> <P>you will need to uncheck the optimized by comments in your case .</P> <P>&nbsp;</P> Wed, 20 Sep 2023 07:37:06 GMT https://community.checkpoint.com/t5/SmartMove/Smartmove-not-optimizing-cisco-asa-policy/m-p/193133#M525 Ofir_Shikolski 2023-09-20T07:37:06Z https://community.checkpoint.com/t5/SmartMove/Smartmove-not-optimizing-cisco-asa-policy/m-p/193134#M526 <P>Oookay, I stand corrected. You can also see that it made 15k rules out of over 28k original records. Let's say, it can consolidate the original policy, but only to some extent.</P> Wed, 20 Sep 2023 07:42:36 GMT https://community.checkpoint.com/t5/SmartMove/Smartmove-not-optimizing-cisco-asa-policy/m-p/193134#M526 _Val_ 2023-09-20T07:42:36Z https://community.checkpoint.com/t5/SmartMove/Smartmove-not-optimizing-cisco-asa-policy/m-p/193135#M527 <P>The policy is <STRONG>always</STRONG> optimized for Check Point products.</P> <P>There are two steps:</P> <OL> <LI> <P>Convert the policy.</P> </LI> <LI> <P>Optimize the policy - this can result in up to a 70%+ improvement in efficiency compared to the converted policy (The logic is based on Check Point's Smart Optimized utility).</P> </LI> </OL> <P>There are scenarios where the converted policy cannot be further optimized.</P> Wed, 20 Sep 2023 07:49:24 GMT https://community.checkpoint.com/t5/SmartMove/Smartmove-not-optimizing-cisco-asa-policy/m-p/193135#M527 Ofir_Shikolski 2023-09-20T07:49:24Z