Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Piyaldgupta
Participant

How to convert zone based firewall acl from Cisco Firepower to Checkpoint Maestro

Recently we came to know that zone based firewall access with specific source & destination ip can not configure in checkpoint maestro, but without zone based acl we can not migrate configuration from Cisco Firepower to CP Maestro. What would be that way out for successful migration, pls note that we can not configure ip based acl as we already using a classful ip blocks in different zone and those micromanagement of acl couldn't help us to do bau job.

0 Kudos
7 Replies
PhoneBoy
Admin
Admin

We've supported Zone-based Policies since R80...this includes Maestro.
Zones aren't listed in a limitation in SmartMove, either: https://support.checkpoint.com/results/sk/sk115416

Not clear what the issue is.
Can you elaborate?

the_rock
Legend
Legend

I would also say smartmove, but if its not supported for this specific part, maybe reach out to your local Sales person, so they can see if Professional services team may have a better option(s) for you.

Best,

Andy

Piyaldgupta
Participant

Yes, sir we have PS team from CP but still they couldn't give a concrete opinion about the same like acl solution including zone based firewall acl for specific ips.

0 Kudos
Timothy_Hall
Legend Legend
Legend

Are you talking about converting a NAT policy?  Security Zones have been supported in manual NAT rules since R81 and can exactly mimic the Cisco "interface pair" specification for matching NAT rules/statements.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Piyaldgupta
Participant

no sir, I am looking for cisco firepower like acl solution including SRC Zone, SRC IP, SRC Port, DST Zone, Dst IP, DST Port, Protocol

0 Kudos
PhoneBoy
Admin
Admin

Source/destination fields can contain both zones and IP addresses in the same cell.
Service field can contain both "services" (mostly port-based with handlers for some of them), and "applications" (which use Layer 7 signatures).
However, these are treated as "or" and not "and" as you seem to be suggesting you need.

If you're trying to match zone AND IP as part of a source/destination (meaning traffic must match both zone and IP), you will need to break it into two rules and use Inline Layers similar to:

image.png

In the main policy, Rule 3 matches if the source/destination zones are InternalZone and ExternalZone respectively.
If this rule does not match, the 3.x rules are skipped.
If this rule matches, then the subrules apply (for example 3.1 allows traffic between test and test2 and 3.2 blocks all other traffic from Internal Zone to External Zone).

To add an Inline Layer, change the action to Inline Layer and select the relevant blade(s) that will be active on that inline layer.

There are a couple limits on policy layers: can't push them gateway versions prior to R80 and you can have a total of 251 layers in an Access Policy.

(1)
Piyaldgupta
Participant

Thanks for the feedback. I shall talk with my PS about it.

0 Kudos
Upcoming Events

    CheckMates Events