- CheckMates
- :
- Products
- :
- Quantum
- :
- SmartMove
- :
- Re: SmartMove: Convert Cisco ASA Policy to Check P...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SmartMove: Convert Cisco ASA Policy to Check Point
Check Point SmartMove tool enables you to convert 3rd party database with firewall security policy and NAT to Check Point database.
At the moment, the tool handles Cisco ASA (version 8.3 and above) configuration file and converts its objects, NAT and firewall policy to a Check Point R80.10 policy. The tool is planned to support additional vendors in the future.
Source is available on GitHub: SmartMove
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Awesome
Plz also post in code library
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
All the information you need about SmartMove is avaliable on sk115416
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am facing some issue while migrating the Cisco Configuration.
1. In case of large Object NATs in Cisco we are getting system out of memory error.
2. Another issue is with time base objects & policies, after converting the Cisco Time base policies we have seen empty time base object in our database but the policy is working fine. When I manually update that empty time base object or create a same time base object as per Cisco configuration and install the policy it impact the entire production and gateway start dropping all traffic.
It is bit urgent as customer have planned the roll out the migration tonight.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
we are testing in our lab for one of customer migration . will keep you all posted with the outcome.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Libin,
Could you please update lab test or customer migration experience from ASA to Checkpoint ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I am testing as well. On Smart Center R80.10 it works fine so far.
On MDS I have following issue:
running import scripts created by SmartMove the policy package has not been created:
message: “Runtime error: No permissions to create Policy Package with Access Control Policy.”
Logging in...
create package [Cisco-ASA5506-SGL2_policy]
mgmt_cli add package name "Cisco-ASA5506-SGL2_policy" threat-prevention "false" ignore-warnings true -s id.txt --user-agent mgmt_cli_smartmove
code: "generic_error"
message: "Runtime error: No permissions to create Policy Package with Access Control Policy."
Layers: Creating 4 sub-policies
create layer [OUTSIDE]
mgmt_cli add access-layer name "OUTSIDE" add-default-rule "false" ignore-warnings true -s id.txt --user-agent mgmt_cli_smartmove
code: "generic_error"
message: "Runtime error: An internal error has occurred."
Add rules to layer OUTSIDE
mgmt_cli add access-rule layer "OUTSIDE" source "any" destination "WWW-EXT" service "http" action "accept" track-settings.type "Log" position "bottom" custom-fields.field-1 "Matched NAT rule ((130) translated source: WWW-EXT, translated dest: original)" ignore-warnings true -s id.txt --user-agent mgmt_cli_smartmove
code: "generic_err_object_not_found"
message: "Requested object [Failed to find real id for fixed id '28fd2d79-f36d-40ae-a144-1800312acebb'] not found"
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would check the follow:
1. API enabled
Access MDM with expert user and run:
# api status
2. Enable API to listen all interfaces
3. restart api :
Access MDM with expert user and run:
# api restart
--wait a few minutes that API will restart --
4. Verify API user does have proper permissions (you can use superuser )
5. Verify that you used the 'domain' option for SmartMove (Import to a domain)
sk115416 , Section 8.C
- For Multi-Domain Security Management, in the "
Import to a domain
" field, enter the Domain name as it appears in SmartConsole - make sure you use the Domain name not the Domain Management Server name
As Yael recommended:
- Information about SmartMove is available on sk115416
- I will recommend review short video (4.29 min)
Converting Another Vendor’s Security Policy to Check Point is a SmartMove | Tech Bytes - YouTube
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The correct order for import :
1. objects
2. policy
3. policy_opt
Converting Another Vendor’s Security Policy to Check Point is a SmartMove | Tech Bytes - YouTube (1:56)
For the error:
mgmt_cli add access-rule layer "OUTSIDE" source "any" destination "WWW-EXT" service "http" action "accept" track-settings.type "Log" position "bottom" custom-fields.field-1 "Matched NAT rule ((130) translated source: WWW-EXT, translated dest: original)" ignore-warnings true -s id.txt --user-agent mgmt_cli_smartmove
code: "generic_err_object_not_found"
message: "Requested object [Failed to find real id for fixed id '28fd2d79-f36d-40ae-a144-1800312acebb'] not found"
Object does not exist :
Access-rule "OUTSIDE"
OR
Object "WWW-EXT"
You can do quick check , check for object "WWW-EXT"
In case it does not exist: we did not import objects OR objects import failed
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Ofir,
Thank you for the information. Your answer helped to find the solution:
In case you are using MDS you have to provide a Domain Name in SmartMove. “Import to a domain(optional):”
Let’s assume I want to import into “DomainServer1”:
Domain Name: Domain1
Server Name: DomainServer1
In this case I have to provide the domain name “Domain1” in SmartView.
It is working now.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A newer version of the tool (version 1.3.6428.23210) prevents running the generated scripts on MDS.
When encountering an issue with SmartMove, please make sure you use the latest version of the tool, as published in sk115416.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The latest binaries of SmartMove tool can be always downloaded from sk115416.
The latest source code, compatible with the latest tool version, can be always downloaded from SmartMove GitHub repo.
Please keep updated.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sk115416 was updated:
- Added instructions for migrating Juniper configuration
- Improved design of this article
- Added "Table of Contents"
- Added "Revision History" section
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all,
Just released a new version of the tool - added a support for Juniper JunosOS and ScreenOS configurations.
Please refer to the sk115416.
Enjoy!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all,
I have started to use SmartMove (3_1_6871_28484) to migrate 2 Junipier JunOS 12.3 firewall. I did not yet tried to import the configuration to Security Management R80.20 but configuration shown in intermediate html files seems fine... except mainly 2 points which are a bit problematic in our case.
First point is how duplicate objects in different zone are handled. I agree that name must be unique, but if multiple occurrence of an object with the same name have the same IP address (network/range/...) definition, the way SmartMove script is currently working lead to create duplicate objects in Check Point base for the same IP address (network/range/...) with just a different suffix with zone name(s). I don't really see why SmartMove does not merge all such objects into only one.
Is their some specific reasons ? Could this behaviors be updated, with an option to choose to enable merge or not by example ?
My second point is how global policy is handled. If I understand correctly the global rules are duplicated into each sub-policy created for each zone and also added at the end of the policy. For me, this lead to many duplicated rules and it could be possible to only enforce the rules are the end of the policy to all (virtual) gateways to reach the same goal.
Again, is their some specific reasons for that ? Could this behaviors be updated, with an option to choose to duplicate global rules to each sub-policy or not by example ?
My last question is regarding the import of 2 JunOS configuration to the same Security Management. Assuming that the same name/IP address is used for some objects in the 2 configurations files, what will happened when importing the 2nd configuration ? Will import of duplicate objects failed (and non-duplicate succeed) but will the policy import succeed as the objects with the correct name would have been already created during import of the 1st policy ?
Sorry for the long post and really many thanks for your answer.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
thanks for your feedback
we plan to release a version that will know how to handle duplicated objects when using existing mgmt & global policy. this version will be available for Cisco during January 10th 2019 and for the rest of the vendors I hope by end of January 2019. please contact me directly if you want to get the version before it is officially released to test with your customers.
thanks
Yael
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Yael,
Many thanks for your answer to my forum post. If it is possible I would be happy to test the new SmartMove release you are talking about on my Juniper SRX customer configurations and provide you a feedback regarding improvement.
Many thanks.
Tristan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please contact me directly to yhaker@checkpoint.com
Thanks
Yael Haker
Customer Success and Pre-Sales Tools Manager
Check Point Software Technologies
Mobile: +972-5-3655929 | Office: +972-3-6115346
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I find this post about smart move and i would like to ask you , if there is any update with the duplicate objects , when you import a policy .
Best Regards
Prodromos
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Team,
First of all great job on the tool, I think this will help most egineers for migrating to CheckPoint. One question left and still open though, are there plans for Palo Alto? It will help a lot of engineers/companies to get this.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
PAN support for SmartMove is in the works, yes.
Hopefully it will be ready in the near future.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
We have SmartMove for Pan as EA version that we can share with customers who are willing to test it in their lab
Please contact me directly if you have customers/partners that wants to test the tool that we have
Thanks
Yael Haker
Customer Success and Pre-Sales Tools Manager
Check Point Software Technologies
Mobile: +972-5-3655929 | Office: +972-3-6115346
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Yael,
I will contact you as I am in a PAN migration at the moment and I do have a staging setup ready!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Yael. I also have a customer that is starting a PAN to Check Point migration and is interested in this tool. I will reach out to you via email to request the tool.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I hope this comment finds you all in good shape, great tool!
Are there any plans to include support for the migration of Sonicwall firewalls?
Thanks in advance,
Fabrizio
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nice tool!
During my first dry run I recognized, that the result contains inline layers.
As I am not able to use layers in my policies due to different circumstances is there a chance to disable layers for the conversation?
Thanks in advance.
Cheers
Sven
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is no option to disable inline layers creation..but if you cannot use it then just extract (copy/paste) rules from each inline layer to policy..
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
I have some issues converting Cisco ASA config, it is a 5515 cluster running version 9.12(2).
After conversion with Smartmove the policy output is just the cleanup rule.
Smartmove version 5.1.7078.13288
Anyone knows how i can check what the issue is ?
NAT and objects output seems to give some more output, however the NAT looks a bit messy...
Thanks!
Best Regards, Rickard
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Durin
I had similar issues and solved it by modifing the enconding of the show running text file to UTF-8.
Hope it helps,
https://www.linkedin.com/in/federicomeiners/
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have tried with UTF-8 but still having same issue.