This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Robert_Decker
Advisor
‎2017-11-19 01:34 AM
Jump to solution

How to migrate Juniper configuration to Check Point R80 Management Server database?

How to migrate Juniper JunoOS / ScreenOS configuration to Check Point R80 Management Server database?

1 Solution

Accepted Solutions
Robert_Decker
Advisor
‎2017-11-19 01:41 AM
Jump to solution

Check Point SmartMove tool enables you to convert 3rd party database with firewall security policy and NAT to Check Point database.

At the moment, the tool parses Cisco ASA, Juniper JunosOS and ScreenOS configurations and converts its objects, NAT and firewall policy to a Check Point R80.10 compliant policy. The tool is planned to support additional vendors and security configurations in the future.

The tool generates bash scripts by utilizing Check Point Management API's command line interface, to migrate the converted policy into a R80.10 Management (or Multi-Domain) server.

View solution in original post

18 Replies
Robert_Decker
Advisor
‎2017-11-19 01:41 AM
Jump to solution

Check Point SmartMove tool enables you to convert 3rd party database with firewall security policy and NAT to Check Point database.

At the moment, the tool parses Cisco ASA, Juniper JunosOS and ScreenOS configurations and converts its objects, NAT and firewall policy to a Check Point R80.10 compliant policy. The tool is planned to support additional vendors and security configurations in the future.

The tool generates bash scripts by utilizing Check Point Management API's command line interface, to migrate the converted policy into a R80.10 Management (or Multi-Domain) server.

Ronen_Zel
Employee
Employee
‎2017-11-27 04:12 AM
In response to Robert_Decker
Jump to solution

See also sk115416 - How to migrate a competitor's database to Check Point with SmartMove.

0 Kudos
Robert_Decker
Advisor
‎2017-11-19 01:47 AM
Jump to solution

Currently, the following Juniper configurations can be migrated:

Supported GatewaySupported OS
Juniper SRX SeriesJunosOS version 12.1 and above
Juniper SSG SeriesScreenOS version 6.3 (R19B/R22) and above

Enjoy.

yoram_baruchian
Explorer
‎2018-06-24 01:47 PM
In response to Robert_Decker
Jump to solution

Hi

i am trying to migrate from juniper cluster of 2  srx 650 ver 12.1x46-d35 .

i export the configuration with: show configuration | display xml | no-more

when i run the utility i get this error:

Could not parse configuration file.

Message:Data at  the root level is invalid line 11640 position 1

Module: System.Xml

Class:XmlTextReaderlmpl

Methode:Throw

any help will be appreciate

Thanks

Yoram

0 Kudos
Robert_Decker
Advisor
‎2018-06-24 01:58 PM
In response to yoram_baruchian
Jump to solution

Hi,

It seems that the XML file is invalid.

Try to open it in Internet Explorer or any other XML viewer/editor.

Robert.

yoram_baruchian
Explorer
‎2018-06-26 11:37 AM
In response to Robert_Decker
Jump to solution

Hi

thanks for your help

it was a problem with the xml file 

now it work fine except of the nat translation 

will try to fiure out way

thanks

0 Kudos
Robert_Decker
Advisor
‎2018-06-26 12:03 PM
In response to yoram_baruchian
Jump to solution

If you can explain what doesn't work with NAT, I'll try to assist.

robert.

0 Kudos
Robert_Canis
Participant
‎2020-12-28 10:07 AM
In response to yoram_baruchian
Jump to solution

I'm getting the same error.  What exactly was the issue?  I"ve never seen the xml file before so I don't know how to fix this error.

0 Kudos
Moe_89
Contributor
‎2018-05-04 11:35 PM
Jump to solution

Hi, 

The tool works great and has saved a lot of time for us. I just wanted to know since DIP configuration is not converted by smartmove. What NAT configuration will be appropriate to manually do this in Checkpoint? 

0 Kudos
Robert_Decker
Advisor
‎2018-05-05 12:06 AM
In response to Moe_89
Jump to solution

Hi,

I'll check this with our security experts and get back to you.

Robert.

0 Kudos
Robert_Decker
Advisor
‎2018-05-07 06:08 AM
In response to Moe_89
Jump to solution

Hi,

In the case of interface with dynamic IP configuration, which is not supported by the tool, you need to perform a pre-migration task - Replace DAIP interfaces with static IP addresses.

Later, post-migration, you can manually modify the generated NAT rules.

This is also mentioned in the accompanied SK - 

Robert.

0 Kudos
Moe_89
Contributor
‎2018-05-07 06:20 AM
Jump to solution

 Thanks for the reply. I did have to create the NAT rules manually after migration. But if there was DIP NAT in juniper, do I have to create an ip pool NAT in Checkpoint.

 Basically a comparison of NAT methods in juniper and their equivalent in checkpoint would be really helpful. 

0 Kudos
Robert_Decker
Advisor
‎2018-05-07 06:52 AM
In response to Moe_89
Jump to solution

IP pool NAT can be an option, but I'll give you an authorized answer from our NAT team members tomorrow.

Regarding the NAT comparison, please take a look at this - 

https://www.51sec.org/2015/07/checkpoint-nat-concepts-and-server-side-nat-explanation/

Robert.

0 Kudos
Robert_Decker
Advisor
‎2018-05-09 06:57 AM
In response to Moe_89
Jump to solution

Hi,

I've checked with our NAT experts, and they suggest using dynamic objects as a source/destination in your NAT rule.

Then, go to your gateway and run "dynamic_objects" command to configure the IP addresses.

Robert.

0 Kudos
Moe_89
Contributor
‎2018-05-13 06:24 AM
In response to Robert_Decker
Jump to solution

Thanks for the update Robert.

0 Kudos
Robert_Decker
Advisor
‎2018-05-13 06:27 AM
In response to Moe_89
Jump to solution

No problem. Does it make sense for your configuration?

0 Kudos
Moe_89
Contributor
‎2018-05-14 02:16 AM
In response to Robert_Decker
Jump to solution

It does make sense. But I have noticed in the current juniper configuration that although DIP is configured it just has one one IP in the pool.

Eg. set interface ethernet1/1 ext ip 10.10.xx.xx 255.255.255.224 dip 9 192.168.1.1 192.168.1.1

In this case i dont have to use Dynamic Object in NAT rule but just a manual Hide NAT Rule.

0 Kudos
Robert_Decker
Advisor
‎2018-05-14 02:28 AM
In response to Moe_89
Jump to solution

yes, you are correct.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events