Hi All,
When migrating the Juniper SRX firewall(Junos) to Check Point firewall, SmartMove are only available to convert the policy and objects. However, some configurations are not able to convert example like the PBR.
After I studies on Juniper Documation also struggling how I gonna to convert based on Check Point architecture. When look the Juniper configuration somehow consists of several parameter/section regarding the PBR example like interface circumstances, routing options, etc. But in Check Point config is so straight forward. I believe the way to configure and how the packet flows its totally different between these 2 vendors.
Hence its anyone has experienced on converting Juniper PBR to Check Point PBR? please give some advice.
Example Juniper PBR config:
<interface>
<name>reth0</name>
<redundant-ether-options>
<redundancy-group>1</redundancy-group>
</redundant-ether-options>
<unit>
<name>0</name>
<family>
<inet>
<filter>
<input>
<filter-name>PBR-Conf</filter-name>
</input>
</filter>
<address>
<name>192.168.253.1/24</name>
</address>
</inet>
</family>
</unit>
</interface>
<routing-options>
<interface-routes>
<rib-group>
<inet>PBR-rib</inet>
</rib-group>
</interface-routes>
<rib-groups>
<name>PBR-rib</name>
<import-rib>inet.0</import-rib>
<import-rib>PBR-Server.inet.0</import-rib>
</rib-groups>
</routing-options>
<filter>
<name>PBR-Conf</name>
<term>
<name>PBR_1</name>
<from>
<source-address>
<name>0.0.0.0/0</name>
</source-address>
<destination-address>
<name>192.168.253.219/32</name>
</destination-address>
<destination-port>https</destination-port>
</from>
<then>
<routing-instance>
<routing-instance-name>PBR-Server</routing-instance-name>
</routing-instance>
</then>
</term>
<term>
<name>PBR_2</name>
<from>
<source-address>
<name>0.0.0.0/0</name>
</source-address>
<destination-address>
<name>192.168.253.20/32</name>
</destination-address>
<destination-port>9443</destination-port>
</from>
<then>
<routing-instance>
<routing-instance-name>PBR-Server</routing-instance-name>
</routing-instance>
</then>
</term>
<term>
<name>AcceptAll</name>
<then>
<accept/>
</then>
</term>
</filter>
<routing-instances>
<instance>
<name>PBR-Server</name>
<instance-type>forwarding</instance-type>
<routing-options>
<static>
<route>
<name>10.10.10.78/32</name>
<next-hop>10.10.10.82</next-hop>
</route>
<route>
<name>192.168.248.161/32</name>
<next-hop>10.10.10.82</next-hop>
</route>
</static>
</routing-options>
</instance>
</routing-instances>
Note: Static NAT involved. Please refer NAT rules as below:
Original dst: 192.168.253.219/32 -> Translated Dst:10.10.10.78/32
Original dst: 192.168.253.20/32 -> Translated Dst:192.168.248.161/32
Best Regards,
Keon
