This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Di_Junior
Advisor
Advisor
‎2019-10-24 01:53 AM

Migration from CISCO ASA to Check Point using SmartMove

Dear Mates


One of my clients wishes to migrate from CISCO ASA to Check Point, and I will be working with them in this process.
I have tested smartMove, and the migration in the lab environment worked just fine. However, I noticed that when running the policy scritpt, it created in-line layers in the Access Control Policy.
I would like to know if this is a normal behaviour, or if there is anything that could be done in order to avoid that.
Additionally, I would like to know what are precautions I should be aware of in order to have a successful move.

Thanks in advance

0 Kudos
9 Replies
Benedikt_Weissl
Advisor
‎2019-10-24 02:28 AM

I've used SmartMove to migrate a customer from Juniper to Check Point and the policy script created the same in-line layers, so that should be normal. Since your customer is currently using an ASA there is likely more cisco equipment present, so check out sk44898.

Di_Junior
Advisor
Advisor
‎2019-10-29 06:49 AM
In response to Benedikt_Weissl

Hi Benedikt

Thank you.

Just a question, after migrating the rules to Check Point Management Server, assuming you had a Distributed Environment (SMS + SGW) what did you have to do on the Security Gateway side?

Thanks in advance
0 Kudos
Benedikt_Weissl
Advisor
‎2019-10-29 09:00 AM
In response to Di_Junior

You have to do everything on the gateway side if memory serves me right. SmartMove will only migrate the policy. You have to create the interfaces, routing, zones....

We've installed a modified version of the converted policy. Check the policy SmartMove created before installing. Almost every time we migrate from a different vendor to Check Point there is something in the original policy we can optimize.

0 Kudos
Di_Junior
Advisor
Advisor
‎2019-10-29 07:07 AM
In response to Benedikt_Weissl

Additionaly, when pushing the policy for the first time into the security gateways, which policy package did you push: Converted Policy or Converted Optimized Policy?
0 Kudos
FedericoMeiners
Advisor
‎2019-10-29 10:46 AM

Junior,

Hope you are doing fine, currently we are undertaking a migration of 60 ASA gateways to Check Point using SmartMove. Here are my two cents:

Inline policies is used to emulate in a certain ways the interface approach to create rules from ASA gateways, after importing rules you will probably see that you have certain rules with zones for sources an destination.

Depending on the criticity level of the gateway we use the standar rulebase or the optimized rulebase. For critical systems we use the standar rulebase generated by SmartMove since it's easier to analize over the optimized rulebase. Our experience showed that they both work fine.

One MAJOR drawback on importing an ASA rulebase is that you don't have outgoing ACLs on the showrun, this limitation is noted on the SmartMove SK. Most of the time this will not cause you a traffic outage but it will decrease your rulebase security since you will not have implied drops.

Last but not last, be sure to fix all the shadowed, duplicated or overlapping rules in ASA before importing them to Check Point.

Hope it helps 🙂

___

____________
https://www.linkedin.com/in/federicomeiners/
Di_Junior
Advisor
Advisor
‎2019-10-30 10:15 AM
In response to FedericoMeiners

Thank you very much Frederico
0 Kudos
Di_Junior
Advisor
Advisor
‎2019-12-02 08:06 AM
In response to FedericoMeiners

Hi Frederico

On the migrations you have done, did it also migrate the VPN communities?

Thanks in advance
0 Kudos
FedericoMeiners
Advisor
‎2019-12-02 08:33 AM
In response to Di_Junior

Yes, but you will have to do it manually. I guess that you can script it somehow using the mgmt_cli, personally I had a few tunnels so I did not bothered.

It should be somewhat transparent if you have the correct secret and configurations.

____________
https://www.linkedin.com/in/federicomeiners/
Di_Junior
Advisor
Advisor
‎2019-12-03 06:17 AM
In response to FedericoMeiners

Thanks a lot.
0 Kudos
Upcoming Events

    Sort by:
    CheckMates Events