cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question
Employee++
Employee++

How to migrate Juniper configuration to Check Point R80 Management Server database?

Jump to solution

How to migrate Juniper JunoOS / ScreenOS configuration to Check Point R80 Management Server database?

1 Solution

Accepted Solutions
Employee++
Employee++

Re: How to migrate Juniper configuration to Check Point R80 Management Server database?

Jump to solution

Check Point SmartMove tool enables you to convert 3rd party database with firewall security policy and NAT to Check Point database.

At the moment, the tool parses Cisco ASA, Juniper JunosOS and ScreenOS configurations and converts its objects, NAT and firewall policy to a Check Point R80.10 compliant policy. The tool is planned to support additional vendors and security configurations in the future.

The tool generates bash scripts by utilizing Check Point Management API's command line interface, to migrate the converted policy into a R80.10 Management (or Multi-Domain) server.

17 Replies
Employee++
Employee++

Re: How to migrate Juniper configuration to Check Point R80 Management Server database?

Jump to solution

Check Point SmartMove tool enables you to convert 3rd party database with firewall security policy and NAT to Check Point database.

At the moment, the tool parses Cisco ASA, Juniper JunosOS and ScreenOS configurations and converts its objects, NAT and firewall policy to a Check Point R80.10 compliant policy. The tool is planned to support additional vendors and security configurations in the future.

The tool generates bash scripts by utilizing Check Point Management API's command line interface, to migrate the converted policy into a R80.10 Management (or Multi-Domain) server.

Re: How to migrate Juniper configuration to Check Point R80 Management Server database?

Jump to solution
0 Kudos
Employee++
Employee++

Re: How to migrate Juniper configuration to Check Point R80 Management Server database?

Jump to solution

Currently, the following Juniper configurations can be migrated:

Supported GatewaySupported OS
Juniper SRX SeriesJunosOS version 12.1 and above
Juniper SSG SeriesScreenOS version 6.3 (R19B/R22) and above

Enjoy.

Re: How to migrate Juniper configuration to Check Point R80 Management Server database?

Jump to solution

Hi

i am trying to migrate from juniper cluster of 2  srx 650 ver 12.1x46-d35 .

i export the configuration with: show configuration | display xml | no-more

when i run the utility i get this error:

Could not parse configuration file.

MessageSmiley Very Happyata at  the root level is invalid line 11640 position 1

Module: System.Xml

Class:XmlTextReaderlmpl

Methode:Throw

any help will be appreciate

Thanks

Yoram

0 Kudos
Employee++
Employee++

Re: How to migrate Juniper configuration to Check Point R80 Management Server database?

Jump to solution

Hi,

It seems that the XML file is invalid.

Try to open it in Internet Explorer or any other XML viewer/editor.

Robert.

Re: How to migrate Juniper configuration to Check Point R80 Management Server database?

Jump to solution

Hi

thanks for your help

it was a problem with the xml file 

now it work fine except of the nat translation 

will try to fiure out way

thanks

0 Kudos
Employee++
Employee++

Re: How to migrate Juniper configuration to Check Point R80 Management Server database?

Jump to solution

If you can explain what doesn't work with NAT, I'll try to assist.

robert.

0 Kudos

Re: How to migrate Juniper configuration to Check Point R80 Management Server database?

Jump to solution

Hi, 

The tool works great and has saved a lot of time for us. I just wanted to know since DIP configuration is not converted by smartmove. What NAT configuration will be appropriate to manually do this in Checkpoint? 

0 Kudos
Employee++
Employee++

Re: How to migrate Juniper configuration to Check Point R80 Management Server database?

Jump to solution

Hi,

I'll check this with our security experts and get back to you.

Robert.

0 Kudos
Employee++
Employee++

Re: How to migrate Juniper configuration to Check Point R80 Management Server database?

Jump to solution

Hi,

In the case of interface with dynamic IP configuration, which is not supported by the tool, you need to perform a pre-migration task - Replace DAIP interfaces with static IP addresses.

Later, post-migration, you can manually modify the generated NAT rules.

This is also mentioned in the accompanied SK - 

Robert.

0 Kudos

Re: How to migrate Juniper configuration to Check Point R80 Management Server database?

Jump to solution

 Thanks for the reply. I did have to create the NAT rules manually after migration. But if there was DIP NAT in juniper, do I have to create an ip pool NAT in Checkpoint.

 Basically a comparison of NAT methods in juniper and their equivalent in checkpoint would be really helpful. 

0 Kudos
Employee++
Employee++

Re: How to migrate Juniper configuration to Check Point R80 Management Server database?

Jump to solution

IP pool NAT can be an option, but I'll give you an authorized answer from our NAT team members tomorrow.

Regarding the NAT comparison, please take a look at this - 

https://www.51sec.org/2015/07/checkpoint-nat-concepts-and-server-side-nat-explanation/

Robert.

0 Kudos
Employee++
Employee++

Re: How to migrate Juniper configuration to Check Point R80 Management Server database?

Jump to solution

Hi,

I've checked with our NAT experts, and they suggest using dynamic objects as a source/destination in your NAT rule.

Then, go to your gateway and run "dynamic_objects" command to configure the IP addresses.

Robert.

0 Kudos

Re: How to migrate Juniper configuration to Check Point R80 Management Server database?

Jump to solution

Thanks for the update Robert.

0 Kudos
Employee++
Employee++

Re: How to migrate Juniper configuration to Check Point R80 Management Server database?

Jump to solution

No problem. Does it make sense for your configuration?

0 Kudos

Re: How to migrate Juniper configuration to Check Point R80 Management Server database?

Jump to solution

It does make sense. But I have noticed in the current juniper configuration that although DIP is configured it just has one one IP in the pool.

Eg. set interface ethernet1/1 ext ip 10.10.xx.xx 255.255.255.224 dip 9 192.168.1.1 192.168.1.1

In this case i dont have to use Dynamic Object in NAT rule but just a manual Hide NAT Rule.

0 Kudos
Employee++
Employee++

Re: How to migrate Juniper configuration to Check Point R80 Management Server database?

Jump to solution

yes, you are correct.

0 Kudos