This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Javier_Sanchez
Participant
‎2017-11-19 11:58 PM

Migration approach from interface flow policy

Hi all,

im facing a migration from various vendors to checkpoint environment, and im considering some options for the policy migration. Considering that the actual vendor used the interface policy flow definition, i would like to ask you about some experiences you have had in such deplyments ¿

Have you tried replicating the interface-flow policy, using the security zones ? I though that it would be the easiest approach but im not sure if considering that its not the "native" approach for checkpoint policy, im not sure if that replication attempt would be the safest bet.

But on the other hand, with the security zones, and layers is .. tempting to say the least :-). Could you please share you experiences if you had any in migrations similar ? Any regrets on using this approach if you did it that way ?

Regards

Javier Sanchez

0 Kudos
9 Replies
Marco_Valenti
Advisor
‎2017-11-20 01:15 AM

at the moment with r77.30 I'm using this kind of approach , section for interface and a clean up rule for every section with the relative associated networks , connection to the "internet" are the last on on the policy set although someone can say I'm trashing securexl and hit mechanism

In r80 you will have a lot more flexibility for sure using zones and layers

0 Kudos
Robert_Decker
Advisor
‎2017-11-20 02:01 AM

If you are addressing R80.10 migration, you can use our SmartMove tool.

It migrates Cisco ASA, Juniper JunosOS and ScreenOS configurations.

Robert.

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2017-11-20 06:09 AM

I've seen Security Zones in action for R80.10 and they are great tools for simplifying policies; using them does not eliminate the need to still configure anti-spoofing though.  This isn't really documented yet, but use of Security Zones in policies does not appear to have a negative impact on SecureXL for throughput acceleration & templating, and even works with new features such as column matching/early drop.  There are underlying mechanisms visible in R80.10 gateway that ensure all these features are not negatively impacted by the use of Security Zone objects.

Now if only we could use Security Zones in manual NAT rules....

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
Vladimir
Champion
Champion
‎2017-11-20 07:25 AM
In response to Timothy_Hall

Tim,

Can you describe the use case for the security zones in the manual NAT rules?

If zones are applied to more than one gateway/cluster, I have trouble visualizing the benefits.

Thank you.

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2017-11-20 08:03 AM
In response to Vladimir

The main reason I wish Security Zones were available in manual NAT rules is ease of converting NAT policies from Cisco (which uses interface pairs) or from other firewall vendors that use Security Zones in their NAT policies.

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
Vladimir
Champion
Champion
‎2017-11-20 09:08 AM
In response to Timothy_Hall

In this case having the ability to make nested security zones would be beneficial.

Local zones could be used in cases you are describing whereas "global" or "parent" zones could be used for multiple gateways. 

0 Kudos
Robert_Decker
Advisor
‎2017-11-20 07:35 AM
In response to Timothy_Hall

You can create network group objects from the interface's routing table, and use them in manual NAT rules.

With one caution - if you have several interfaces with overlaping networks, you should use groups with exclusion instead...

Robert.

0 Kudos
Javier_Sanchez
Participant
‎2017-12-04 01:48 AM

I definitelly see benefits from having layers algo on the nat policy, hopefully we will see that feature during the R80 evolution.

By the way, i finally had to use the non optimized policy conversion from smartmove, the optimized one was not complete 😕

Regards

0 Kudos
Robert_Decker
Advisor
‎2017-12-04 02:06 AM
In response to Javier_Sanchez

Can you please elaborate on what was not complete?

Your input is valuable for our SmartMove tool to perform correctly.

Robert.

0 Kudos
Upcoming Events

    CheckMates Events