Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
SV
Explorer

Firewall Policy migration form Checkpoint R80.10 to Cisco FTD 6.4

We are in process of migrating the huge firewall policy from Checkpoint to Cisco ACP policy, and it seems that there is no such tool available to migrate the policy easily with rule-by-rule with objects to ACP. 

We tried to do this with Cisco tool available to convert from Checkpoint to Cisco ASA policy, and then use Tufin to migrate the Cisco ASA policy to Cisco FTD ACP policy. This created unwanted garbage objects and the rules were filled up these unknown objects. This process will take more time and effort in dollar value, and did follow the manual process.

Also, there is no such tool available for policy merging with the existing Cisco ACP. So, we have followed below steps and were successful in first attempt.

1. Create Pre-Filter rules which are global in Checkpoint Policy.

2. Create DNS policy to block.

3. Create Security Intelligence policy to block the known networks and URLs.

4. Create the IPS policy with ref. to Checkpoint intrusion policy. The policy could be separated with external and internal IPS policy.

5. Create the AMP policy to block the file contents. The policy could be separated with external and internal AMP policy.

6. Create the internal and external variables for Home Network.

7. Place the global and non-inspection rules in the top of ACP policy.

8. Create the Application, URL, Zone-to-Zone, FQDN categories accordingly in ACP policy.

9. Create NAT policy accordingly.

10. Create a explicit deny rule at the end of the ACP policy.

 

The above process of creation of each rule and objects will consume time but will be clean and accurate policy migration from Checkpoint to Cisco.

0 Kudos
0 Replies

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events