This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Piyaldgupta
Participant
‎2024-04-16 03:57 AM

How to convert zone based firewall acl from Cisco Firepower to Checkpoint Maestro

Recently we came to know that zone based firewall access with specific source & destination ip can not configure in checkpoint maestro, but without zone based acl we can not migrate configuration from Cisco Firepower to CP Maestro. What would be that way out for successful migration, pls note that we can not configure ip based acl as we already using a classful ip blocks in different zone and those micromanagement of acl couldn't help us to do bau job.

0 Kudos
7 Replies
PhoneBoy
Admin
Admin
‎2024-04-16 08:59 AM

We've supported Zone-based Policies since R80...this includes Maestro.
Zones aren't listed in a limitation in SmartMove, either: https://support.checkpoint.com/results/sk/sk115416

Not clear what the issue is.
Can you elaborate?

the_rock
MVP Platinum
MVP Platinum
‎2024-04-16 09:16 AM

I would also say smartmove, but if its not supported for this specific part, maybe reach out to your local Sales person, so they can see if Professional services team may have a better option(s) for you.

Best,

Andy

Best,
Andy
Piyaldgupta
Participant
‎2024-04-16 10:51 AM
In response to the_rock

Yes, sir we have PS team from CP but still they couldn't give a concrete opinion about the same like acl solution including zone based firewall acl for specific ips.

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2024-04-16 09:45 AM

Are you talking about converting a NAT policy?  Security Zones have been supported in manual NAT rules since R81 and can exactly mimic the Cisco "interface pair" specification for matching NAT rules/statements.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
Piyaldgupta
Participant
‎2024-04-16 10:53 AM
In response to Timothy_Hall

no sir, I am looking for cisco firepower like acl solution including SRC Zone, SRC IP, SRC Port, DST Zone, Dst IP, DST Port, Protocol

0 Kudos
PhoneBoy
Admin
Admin
‎2024-04-16 02:29 PM
In response to Piyaldgupta

Source/destination fields can contain both zones and IP addresses in the same cell.
Service field can contain both "services" (mostly port-based with handlers for some of them), and "applications" (which use Layer 7 signatures).
However, these are treated as "or" and not "and" as you seem to be suggesting you need.

If you're trying to match zone AND IP as part of a source/destination (meaning traffic must match both zone and IP), you will need to break it into two rules and use Inline Layers similar to:

image.png

In the main policy, Rule 3 matches if the source/destination zones are InternalZone and ExternalZone respectively.
If this rule does not match, the 3.x rules are skipped.
If this rule matches, then the subrules apply (for example 3.1 allows traffic between test and test2 and 3.2 blocks all other traffic from Internal Zone to External Zone).

To add an Inline Layer, change the action to Inline Layer and select the relevant blade(s) that will be active on that inline layer.

There are a couple limits on policy layers: can't push them gateway versions prior to R80 and you can have a total of 251 layers in an Access Policy.

(1)
Piyaldgupta
Participant
‎2024-04-17 12:14 AM
In response to PhoneBoy

Thanks for the feedback. I shall talk with my PS about it.

0 Kudos
Upcoming Events

    CheckMates Events