Hello everyone,
I wanted to share with you a tool that we developed to help us automate a big part of a project.
Long story short, we needed to migrate many virtual context from ASA to VSX. As you may know adding static routes and interfaces to a VS can be cumbersome. Especially if you have firewalls with +100 interfaces and +300 routes 😀
The tool was developed in Golang and is open source.
Keep in mind that this tool was developed for our use case, maybe you need to tinker around a bit regarding interfaces names. For example, you may need to replace "bond" with "eth"
Feel free to fork it if you need.
Download: ASAtoVSX Parser - Molten Minds Github
Current features (Tested with ASA Version 9.4(4)5 and Check Point R80.30)
Translation examples
| ASA | Check Point (vsx_provisioning_tool) | |
| Interface | interface Port-channelY.XX description *** nameif IFNAME security-level 30 ip address 172.**.**.** 255.255.128.0 ! | add interface name bondY.XX ip 172.**.**.** netmask 255.255.128.0 |
| Interface (Shutdown) | Caso interfaz down interface Port-channelY.XX description IFNAME shutdown nameif IFNAME security-level 30 ip address 10.**.**.** 255.255.255.248 ! | #add interface name bondY.XX ip 10.**.**.** netmask 255.255.255.248 |
| Static route | route IFNAME 10.**.**.** 255.255.255.255 10.**.**.** 1 | add route destination 10.**.**.** netmask 255.255.255.255 next_hop 10.**.**.** |
| Default route | route OUTSIDE 0.0.0.0 0.0.0.0 181.**.**.** 1 | add route destination default next_hop 186.**.**.** |
Usage
Usage is really simple.
1) Download the executable file from Github or compile the code yourself
2) Extract running config and save it as a text file with UTF-8 format . At the moment the tool only allow inputs in this format.
3) Using PowerShell execute the program command with the desired input file.
4) Check the output files
vsx_provisioning_tool sample output
Interfaces JSON output
Routes JSON output
5) Add the desired header on the VSX output for vsx_provisioning_tool to create de VS. Example: add vd name VS-Name vsx VSX-FW instances 1 main_ip 172.1.2.3
6) Put the script in the management server that manages the involved VSX and use vsx_provisioning_tool to execute it
7) Verify the new VS and push policy.
Lab
Sample VSX Lab prior script
After we move the generated script to the management server we execute it.
If any of the commands fail then the transaction will be canceled and reversed.
User and passwords are for demonstration purposes only 😀
Now check your VS and push policy
Thu 13 Feb 2025 @ 03:00 AM (CET)
Navigating the Cyber Frontier: A Check Point Executive Briefing - APACThu 13 Feb 2025 @ 03:00 PM (CET)
Navigating the Cyber Frontier: A Check Point Executive Briefing - EMEAThu 13 Feb 2025 @ 02:00 PM (EST)
Navigating the Cyber Frontier: A Check Point Executive Briefing - AmericasFri 14 Feb 2025 @ 10:00 AM (CET)
CheckMates Live Netherlands - Sessie 33: CPX 2025 terugblik!Tue 18 Feb 2025 @ 03:00 PM (CET)
Why Adding SASE to Your Network Infrastructure is a Win-Win - EMEATue 18 Feb 2025 @ 02:00 PM (EST)
Why Adding SASE to Your Network Infrastructure is a Win-Win - AMERICASThu 13 Feb 2025 @ 03:00 AM (CET)
Navigating the Cyber Frontier: A Check Point Executive Briefing - APACThu 13 Feb 2025 @ 03:00 PM (CET)
Navigating the Cyber Frontier: A Check Point Executive Briefing - EMEAThu 13 Feb 2025 @ 02:00 PM (EST)
Navigating the Cyber Frontier: A Check Point Executive Briefing - AmericasFri 14 Feb 2025 @ 10:00 AM (CET)
CheckMates Live Netherlands - Sessie 33: CPX 2025 terugblik!Tue 18 Feb 2025 @ 03:00 PM (CET)
Why Adding SASE to Your Network Infrastructure is a Win-Win - EMEATue 18 Feb 2025 @ 02:00 PM (EST)
Why Adding SASE to Your Network Infrastructure is a Win-Win - AMERICAS
