Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Robert_Decker
Advisor
Jump to solution

How to migrate Juniper configuration to Check Point R80 Management Server database?

How to migrate Juniper JunoOS / ScreenOS configuration to Check Point R80 Management Server database?

1 Solution

Accepted Solutions
Robert_Decker
Advisor

Check Point SmartMove tool enables you to convert 3rd party database with firewall security policy and NAT to Check Point database.

At the moment, the tool parses Cisco ASA, Juniper JunosOS and ScreenOS configurations and converts its objects, NAT and firewall policy to a Check Point R80.10 compliant policy. The tool is planned to support additional vendors and security configurations in the future.

The tool generates bash scripts by utilizing Check Point Management API's command line interface, to migrate the converted policy into a R80.10 Management (or Multi-Domain) server.

View solution in original post

18 Replies
Robert_Decker
Advisor

Check Point SmartMove tool enables you to convert 3rd party database with firewall security policy and NAT to Check Point database.

At the moment, the tool parses Cisco ASA, Juniper JunosOS and ScreenOS configurations and converts its objects, NAT and firewall policy to a Check Point R80.10 compliant policy. The tool is planned to support additional vendors and security configurations in the future.

The tool generates bash scripts by utilizing Check Point Management API's command line interface, to migrate the converted policy into a R80.10 Management (or Multi-Domain) server.

Ronen_Zel
Mod
Mod
0 Kudos
Robert_Decker
Advisor

Currently, the following Juniper configurations can be migrated:

Supported GatewaySupported OS
Juniper SRX SeriesJunosOS version 12.1 and above
Juniper SSG SeriesScreenOS version 6.3 (R19B/R22) and above

Enjoy.

yoram_baruchian
Explorer

Hi

i am trying to migrate from juniper cluster of 2  srx 650 ver 12.1x46-d35 .

i export the configuration with: show configuration | display xml | no-more

when i run the utility i get this error:

Could not parse configuration file.

Message:Data at  the root level is invalid line 11640 position 1

Module: System.Xml

Class:XmlTextReaderlmpl

Methode:Throw

any help will be appreciate

Thanks

Yoram

0 Kudos
Robert_Decker
Advisor

Hi,

It seems that the XML file is invalid.

Try to open it in Internet Explorer or any other XML viewer/editor.

Robert.

yoram_baruchian
Explorer

Hi

thanks for your help

it was a problem with the xml file 

now it work fine except of the nat translation 

will try to fiure out way

thanks

0 Kudos
Robert_Decker
Advisor

If you can explain what doesn't work with NAT, I'll try to assist.

robert.

0 Kudos
Robert_Canis
Participant

I'm getting the same error.  What exactly was the issue?  I"ve never seen the xml file before so I don't know how to fix this error.

0 Kudos
Moe_89
Contributor

Hi, 

The tool works great and has saved a lot of time for us. I just wanted to know since DIP configuration is not converted by smartmove. What NAT configuration will be appropriate to manually do this in Checkpoint? 

0 Kudos
Robert_Decker
Advisor

Hi,

I'll check this with our security experts and get back to you.

Robert.

0 Kudos
Robert_Decker
Advisor

Hi,

In the case of interface with dynamic IP configuration, which is not supported by the tool, you need to perform a pre-migration task - Replace DAIP interfaces with static IP addresses.

Later, post-migration, you can manually modify the generated NAT rules.

This is also mentioned in the accompanied SK - 

Robert.

0 Kudos
Moe_89
Contributor

 Thanks for the reply. I did have to create the NAT rules manually after migration. But if there was DIP NAT in juniper, do I have to create an ip pool NAT in Checkpoint.

 Basically a comparison of NAT methods in juniper and their equivalent in checkpoint would be really helpful. 

0 Kudos
Robert_Decker
Advisor

IP pool NAT can be an option, but I'll give you an authorized answer from our NAT team members tomorrow.

Regarding the NAT comparison, please take a look at this - 

https://www.51sec.org/2015/07/checkpoint-nat-concepts-and-server-side-nat-explanation/

Robert.

0 Kudos
Robert_Decker
Advisor

Hi,

I've checked with our NAT experts, and they suggest using dynamic objects as a source/destination in your NAT rule.

Then, go to your gateway and run "dynamic_objects" command to configure the IP addresses.

Robert.

0 Kudos
Moe_89
Contributor

Thanks for the update Robert.

0 Kudos
Robert_Decker
Advisor

No problem. Does it make sense for your configuration?

0 Kudos
Moe_89
Contributor

It does make sense. But I have noticed in the current juniper configuration that although DIP is configured it just has one one IP in the pool.

Eg. set interface ethernet1/1 ext ip 10.10.xx.xx 255.255.255.224 dip 9 192.168.1.1 192.168.1.1

In this case i dont have to use Dynamic Object in NAT rule but just a manual Hide NAT Rule.

0 Kudos
Robert_Decker
Advisor

yes, you are correct.

0 Kudos
Upcoming Events

    CheckMates Events