<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: How to convert zone based firewall acl from Cisco Firepower to Checkpoint Maestro in SmartMove</title>
    <link>https://community.checkpoint.com/t5/SmartMove/How-to-convert-zone-based-firewall-acl-from-Cisco-Firepower-to/m-p/211495#M547</link>
    <description>&lt;P&gt;Source/destination fields can contain both zones and IP addresses in the same cell.&lt;BR /&gt;Service field can contain both "services" (mostly port-based with handlers for some of them), and "applications" (which use Layer 7 signatures).&lt;BR /&gt;However, these are treated as "or" and not "and" as you seem to be suggesting you need.&lt;/P&gt;
&lt;P&gt;If you're trying to match zone AND IP as part of a source/destination (meaning traffic must match both zone and IP), you will need to break it into two rules and use Inline Layers similar to:&lt;/P&gt;
&lt;P&gt;&lt;span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 999px;"&gt;&lt;img src="https://community.checkpoint.com/t5/image/serverpage/image-id/25302i0CB9EC0130343FED/image-size/large?v=v2&amp;amp;px=999" role="button" title="image.png" alt="image.png" /&gt;&lt;/span&gt;&lt;/P&gt;
&lt;P&gt;In the main policy, Rule 3 matches if the source/destination zones are InternalZone and ExternalZone respectively.&lt;BR /&gt;If this rule does not match, the 3.x rules are skipped.&lt;BR /&gt;If this rule matches, then the subrules apply (for example 3.1 allows traffic between test and test2 and 3.2 blocks all other traffic from Internal Zone to External Zone).&lt;/P&gt;
&lt;P&gt;To add an Inline Layer, change the action to Inline Layer and select the relevant blade(s) that will be active on that inline layer.&lt;/P&gt;
&lt;P&gt;There are a couple limits on policy layers: can't push them gateway versions prior to R80 and you can have a total of 251 layers in an Access Policy.&lt;/P&gt;</description>
    <pubDate>Tue, 16 Apr 2024 21:29:26 GMT</pubDate>
    <dc:creator>PhoneBoy</dc:creator>
    <dc:date>2024-04-16T21:29:26Z</dc:date>
    <item>
      <title>How to convert zone based firewall acl from Cisco Firepower to Checkpoint Maestro</title>
      <link>https://community.checkpoint.com/t5/SmartMove/How-to-convert-zone-based-firewall-acl-from-Cisco-Firepower-to/m-p/211379#M541</link>
      <description>&lt;P&gt;Recently we came to know that zone based firewall access with specific source &amp;amp; destination ip can not configure in checkpoint maestro, but without zone based acl we can not migrate configuration from Cisco Firepower to CP Maestro. What would be that way out for successful migration, pls note that we can not configure ip based acl as we already using a classful ip blocks in different zone and those micromanagement of acl couldn't help us to do bau job.&lt;/P&gt;</description>
      <pubDate>Tue, 16 Apr 2024 10:57:51 GMT</pubDate>
      <guid>https://community.checkpoint.com/t5/SmartMove/How-to-convert-zone-based-firewall-acl-from-Cisco-Firepower-to/m-p/211379#M541</guid>
      <dc:creator>Piyaldgupta</dc:creator>
      <dc:date>2024-04-16T10:57:51Z</dc:date>
    </item>
    <item>
      <title>Re: How to convert zone based firewall acl from Cisco Firepower to Checkpoint Maestro</title>
      <link>https://community.checkpoint.com/t5/SmartMove/How-to-convert-zone-based-firewall-acl-from-Cisco-Firepower-to/m-p/211442#M542</link>
      <description>&lt;P&gt;We've supported Zone-based Policies since R80...this includes Maestro.&lt;BR /&gt;Zones aren't listed in a limitation in SmartMove, either:&amp;nbsp;&lt;A href="https://support.checkpoint.com/results/sk/sk115416" target="_blank"&gt;https://support.checkpoint.com/results/sk/sk115416&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;Not clear what the issue is.&lt;BR /&gt;Can you elaborate?&lt;/P&gt;</description>
      <pubDate>Tue, 16 Apr 2024 15:59:09 GMT</pubDate>
      <guid>https://community.checkpoint.com/t5/SmartMove/How-to-convert-zone-based-firewall-acl-from-Cisco-Firepower-to/m-p/211442#M542</guid>
      <dc:creator>PhoneBoy</dc:creator>
      <dc:date>2024-04-16T15:59:09Z</dc:date>
    </item>
    <item>
      <title>Re: How to convert zone based firewall acl from Cisco Firepower to Checkpoint Maestro</title>
      <link>https://community.checkpoint.com/t5/SmartMove/How-to-convert-zone-based-firewall-acl-from-Cisco-Firepower-to/m-p/211446#M543</link>
      <description>&lt;P&gt;I would also say smartmove, but if its not supported for this specific part, maybe reach out to your local Sales person, so they can see if Professional services team may have a better option(s) for you.&lt;/P&gt;
&lt;P&gt;Best,&lt;/P&gt;
&lt;P&gt;Andy&lt;/P&gt;</description>
      <pubDate>Tue, 16 Apr 2024 16:16:58 GMT</pubDate>
      <guid>https://community.checkpoint.com/t5/SmartMove/How-to-convert-zone-based-firewall-acl-from-Cisco-Firepower-to/m-p/211446#M543</guid>
      <dc:creator>the_rock</dc:creator>
      <dc:date>2024-04-16T16:16:58Z</dc:date>
    </item>
    <item>
      <title>Re: How to convert zone based firewall acl from Cisco Firepower to Checkpoint Maestro</title>
      <link>https://community.checkpoint.com/t5/SmartMove/How-to-convert-zone-based-firewall-acl-from-Cisco-Firepower-to/m-p/211451#M544</link>
      <description>&lt;P&gt;Are you talking about converting a NAT policy?&amp;nbsp; Security Zones have been supported in manual NAT rules since R81 and can exactly mimic the Cisco "interface pair" specification for matching NAT rules/statements.&lt;/P&gt;</description>
      <pubDate>Tue, 16 Apr 2024 16:46:12 GMT</pubDate>
      <guid>https://community.checkpoint.com/t5/SmartMove/How-to-convert-zone-based-firewall-acl-from-Cisco-Firepower-to/m-p/211451#M544</guid>
      <dc:creator>Timothy_Hall</dc:creator>
      <dc:date>2024-04-16T16:46:12Z</dc:date>
    </item>
    <item>
      <title>Re: How to convert zone based firewall acl from Cisco Firepower to Checkpoint Maestro</title>
      <link>https://community.checkpoint.com/t5/SmartMove/How-to-convert-zone-based-firewall-acl-from-Cisco-Firepower-to/m-p/211460#M545</link>
      <description>&lt;P&gt;Yes, sir we have PS team from CP but still they couldn't give a concrete opinion about the same like acl solution including zone based firewall acl for specific ips.&lt;/P&gt;</description>
      <pubDate>Tue, 16 Apr 2024 17:51:54 GMT</pubDate>
      <guid>https://community.checkpoint.com/t5/SmartMove/How-to-convert-zone-based-firewall-acl-from-Cisco-Firepower-to/m-p/211460#M545</guid>
      <dc:creator>Piyaldgupta</dc:creator>
      <dc:date>2024-04-16T17:51:54Z</dc:date>
    </item>
    <item>
      <title>Re: How to convert zone based firewall acl from Cisco Firepower to Checkpoint Maestro</title>
      <link>https://community.checkpoint.com/t5/SmartMove/How-to-convert-zone-based-firewall-acl-from-Cisco-Firepower-to/m-p/211461#M546</link>
      <description>&lt;P&gt;no sir, I am looking for cisco firepower like acl solution including SRC Zone, SRC IP, SRC Port, DST Zone, Dst IP, DST Port, Protocol&lt;/P&gt;</description>
      <pubDate>Tue, 16 Apr 2024 17:53:45 GMT</pubDate>
      <guid>https://community.checkpoint.com/t5/SmartMove/How-to-convert-zone-based-firewall-acl-from-Cisco-Firepower-to/m-p/211461#M546</guid>
      <dc:creator>Piyaldgupta</dc:creator>
      <dc:date>2024-04-16T17:53:45Z</dc:date>
    </item>
    <item>
      <title>Re: How to convert zone based firewall acl from Cisco Firepower to Checkpoint Maestro</title>
      <link>https://community.checkpoint.com/t5/SmartMove/How-to-convert-zone-based-firewall-acl-from-Cisco-Firepower-to/m-p/211495#M547</link>
      <description>&lt;P&gt;Source/destination fields can contain both zones and IP addresses in the same cell.&lt;BR /&gt;Service field can contain both "services" (mostly port-based with handlers for some of them), and "applications" (which use Layer 7 signatures).&lt;BR /&gt;However, these are treated as "or" and not "and" as you seem to be suggesting you need.&lt;/P&gt;
&lt;P&gt;If you're trying to match zone AND IP as part of a source/destination (meaning traffic must match both zone and IP), you will need to break it into two rules and use Inline Layers similar to:&lt;/P&gt;
&lt;P&gt;&lt;span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 999px;"&gt;&lt;img src="https://community.checkpoint.com/t5/image/serverpage/image-id/25302i0CB9EC0130343FED/image-size/large?v=v2&amp;amp;px=999" role="button" title="image.png" alt="image.png" /&gt;&lt;/span&gt;&lt;/P&gt;
&lt;P&gt;In the main policy, Rule 3 matches if the source/destination zones are InternalZone and ExternalZone respectively.&lt;BR /&gt;If this rule does not match, the 3.x rules are skipped.&lt;BR /&gt;If this rule matches, then the subrules apply (for example 3.1 allows traffic between test and test2 and 3.2 blocks all other traffic from Internal Zone to External Zone).&lt;/P&gt;
&lt;P&gt;To add an Inline Layer, change the action to Inline Layer and select the relevant blade(s) that will be active on that inline layer.&lt;/P&gt;
&lt;P&gt;There are a couple limits on policy layers: can't push them gateway versions prior to R80 and you can have a total of 251 layers in an Access Policy.&lt;/P&gt;</description>
      <pubDate>Tue, 16 Apr 2024 21:29:26 GMT</pubDate>
      <guid>https://community.checkpoint.com/t5/SmartMove/How-to-convert-zone-based-firewall-acl-from-Cisco-Firepower-to/m-p/211495#M547</guid>
      <dc:creator>PhoneBoy</dc:creator>
      <dc:date>2024-04-16T21:29:26Z</dc:date>
    </item>
    <item>
      <title>Re: How to convert zone based firewall acl from Cisco Firepower to Checkpoint Maestro</title>
      <link>https://community.checkpoint.com/t5/SmartMove/How-to-convert-zone-based-firewall-acl-from-Cisco-Firepower-to/m-p/211548#M549</link>
      <description>&lt;P&gt;Thanks for the feedback. I shall talk with my PS about it.&lt;/P&gt;</description>
      <pubDate>Wed, 17 Apr 2024 07:14:34 GMT</pubDate>
      <guid>https://community.checkpoint.com/t5/SmartMove/How-to-convert-zone-based-firewall-acl-from-Cisco-Firepower-to/m-p/211548#M549</guid>
      <dc:creator>Piyaldgupta</dc:creator>
      <dc:date>2024-04-17T07:14:34Z</dc:date>
    </item>
  </channel>
</rss>

