topic Re: SmartMove from Juniper with LSYS in SmartMove

SmartMove from Juniper with LSYS

robertp — Tue, 16 Dec 2025 13:38:07 GMT

Hey,

I am trying to migrate from a Juniper with logical systems to Check Point VSX. I know I can't count on SmartMove to do everything for me, but I would want it to at least help me move the 1000+ policies 🙂 Any idea how to do it? When I exported the whole xml file off the Juniper and put it into SmartMove I only got the policies from the root logical system. Exporting the logical system itself didn't work either. At this point doesn't even matter if it puts everything in one policy, or does separate ones, as long as I get the rules and objects on the SMS. Any advice would be appreciated.

Re: SmartMove from Juniper with LSYS

the_rock — Tue, 16 Dec 2025 13:41:48 GMT

Not sure if you are allowed to send the file, but I would be happy to try it in the lab and see if I can make it work. I did this with Fortigate, Cisco, PAN, always worked fine.

Re: SmartMove from Juniper with LSYS

the_rock — Tue, 16 Dec 2025 14:21:14 GMT

I built R82 latest jumbo 44 mgmt server, so if you are allowed/willing to send the Juniper config file, Im happy to give it a go.

Cheers.

Re: SmartMove from Juniper with LSYS

robertp — Tue, 16 Dec 2025 14:34:09 GMT

Hi, I am not, but I'm deploying two logical systems on a test SRX I have, I will add a few policies, check if it gives me the same output as the production one, and if it does I will send that one over. Any potential fix should be valid for the production boxes also. Not sure if I will make it today due to some other tasks but I'll keep in touch max tomorrow. Thanks

Re: SmartMove from Juniper with LSYS

the_rock — Tue, 16 Dec 2025 15:11:27 GMT

No worries...lab test mgmt is ready on my end.

Re: SmartMove from Juniper with LSYS

Vincent_Bacher — Tue, 16 Dec 2025 15:42:55 GMT

First of all, I would like to congratulate you on your decision to leave SRX. No matter where you go, anywhere is better than SRX. Except for Cisco FTD. I speak from experience.

Anyway, I read this in the sk for SmartMove
“Multi routing instance configuration - only single routing instance is supported”
I assume they mean lsys. However, I can't find anywhere in the sk how to deal with multi lsys.

Re: SmartMove from Juniper with LSYS

the_rock — Tue, 16 Dec 2025 20:50:51 GMT

I only worked once with SRX, was challenging, to say the least. As far as Cisco FTD, while back, not recently, so not sure how much it changed.

Re: SmartMove from Juniper with LSYS

Vincent_Bacher — Tue, 16 Dec 2025 22:57:41 GMT

To be honest, I've had a bad experience with SRX and FTD.
We once lost a lucrative customer, a bank, because of Juniper and SRX.
We had only recently acquired the customer and, at their request, migrated an important cluster to SRX. Then an upgrade was due, and during the change we had a split brain situation. Even the Juniper experts present couldn't find the cause at first. Until a colleague of mine found out in a user group that the behaviour of sync traffic in VLAN had changed with the new release and how to revert it. But that was still enough for the customer to kick us out.
As for FTD, we once set up a two-tier DMZ environment. Checkpoint on the inside and FTD on the outside. Again, after an FTD upgrade, every few days the FTD cluster decided to reject all DNS requests to the outside. The only workaround until a patch version was delivered was to reboot the nodes. Simultaneously.
Since these incidents, I have not wanted to have anything to do with either of them.

Re: SmartMove from Juniper with LSYS

the_rock — Tue, 16 Dec 2025 23:03:42 GMT

Im never gonna forget the call I had once with Cisco support guy about FTD when it was somewhat new and I could tell even he was not familiar with it, so I genuinly felt bad, but you know how it goes when we have to help our own clients.

Anyway, after some time, I could tell we were not going anywhere and I asked him if he could maybe escalate the case and he says to me ( NOT paraphrasing) "You know Mr Andy, I will be 100% honest with you, I can escalate this case, but next engineer will probably know less than me about this"

Gave me good laugh LOL

Re: SmartMove from Juniper with LSYS

Vincent_Bacher — Tue, 16 Dec 2025 23:15:26 GMT

Yes I know well the issue to have to support the customers but now I am at the customer side.

An I as well had times where I frequently had to fight with tac to get an engineer that was not less experienced and qualified than myself. But I will not name the vendor

Re: SmartMove from Juniper with LSYS

the_rock — Tue, 16 Dec 2025 23:22:08 GMT

Truth be told, it could happen with any vendor, specially when there is lots of pressure to fix the problem right over the phone. I recall once with Cisco, lady was so persistent wanting to fix the problem, I had to tell her 10 times I was going to miss the flight to Bora Bora if we go over 6 pm lol

Anyway, we all know how stressfull IT world can be...

@robertp If you are allowed to send any config files, I got time Wednesday to try and see if import works via smartmove tool.

Re: SmartMove from Juniper with LSYS

robertp — Wed, 17 Dec 2025 13:53:19 GMT

Hey, sorry for the delay. Attaching an xml from a test firewall I configured. The firewall looks like this:

root logical system:

1 zone-to-zone policy

1 global deny policy

two logical systems (WAN and WWW) each have the same policies:

2 zone-to-zone policies and 1 global policy

When using smartmove I get the zone-to-zone policy from root and a lot of deny rules ( I guess some are the implied rules that Juniper has by default). The result is exactly the same as for the production firewall.

Reg the comments about vendors - SRX is a good L3 firewall, more stable and easier to configure than any other I worked on. It is definitely not a next-gen firewall, even though the vendor says so. As we all know - every vendor has it's problems. I don't even want to start talking about various TAC engagements (for any vendor) as I want to keep it civilized 😉

I proposed a migration from the SRX to CP to the customer and honestly it has been one large headache till now. The outcome might be worth it in the end but not yet... If the smartmove tool doesn't work it will be yet another delay (possibly a large one now as someone will have to go and rewrite the policies by hand).

Re: SmartMove from Juniper with LSYS

the_rock — Wed, 17 Dec 2025 13:57:28 GMT

Thank you! Give me some time, as I have large Fortigate -> CP cutover tomorrow, so that takes priority. But, I will definitely give this a go today and update you.

Re: SmartMove from Juniper with LSYS

the_rock — Wed, 17 Dec 2025 14:05:49 GMT

@robertp Just realized I got an hour to spare, so let me try this now. Otherwise, will continue this afternoon and update you.

Re: SmartMove from Juniper with LSYS

robertp — Wed, 17 Dec 2025 14:09:25 GMT

No worries, freeze period starting soon anyway, I won't have much else to do than try to fix it for some time so it's not super urgent right now. Much appreciated!

Re: SmartMove from Juniper with LSYS

the_rock — Wed, 17 Dec 2025 14:11:10 GMT

Not to sound cheese or corny now, but I always look at this comunity as brotherhood/sisterhood, so we are here to always help, so I will certainly test it and let you know the results mate.

Stand by 🙂

Re: SmartMove from Juniper with LSYS

the_rock — Wed, 17 Dec 2025 14:23:12 GMT

@robertp

I got no clue if this looks right, but this is what it gave me, took literally 10 mins.

Re: SmartMove from Juniper with LSYS

robertp — Wed, 17 Dec 2025 14:36:26 GMT

Hi,

It doesn't I'm afraid, the policies that are under logical-systems in the SRX are not here at all. Normally in a perfect world there should be 3 policies generated from this xml - one root, one called WWW and one WAN. It's also fine(ish) if they generate all in one policy and I could just separate them myself. For example, in your import you cannot see the two below policies, because they are under the 'logical-systems' section:

Re: SmartMove from Juniper with LSYS

the_rock — Wed, 17 Dec 2025 14:38:21 GMT

So how many rules you say should be there all together?

Re: SmartMove from Juniper with LSYS

robertp — Wed, 17 Dec 2025 14:45:26 GMT

At least 8, maybe more if it also imports the implied rules which it seems it does. If that's the case then 11.

5 rules with permits and custom objects, and the rest denies.