Re: SmartMove: Convert Cisco ASA Policy to Check P...

PhoneBoy · ‎2017-05-09

Check Point SmartMove tool enables you to convert 3rd party database with firewall security policy and NAT to Check Point database.

At the moment, the tool handles Cisco ASA (version 8.3 and above) configuration file and converts its objects, NAT and firewall policy to a Check Point R80.10 policy. The tool is planned to support additional vendors in the future.

Source is available on GitHub: SmartMove

Moti · ‎2017-05-10

Awesome

Plz also post in code library

yael_haker · ‎2017-06-22

All the information you need about SmartMove is avaliable on sk115416

Mahipal_Singh · ‎2019-09-12

I am facing some issue while migrating the Cisco Configuration.

1. In case of large Object NATs in Cisco we are getting system out of memory error.

2. Another issue is with time base objects & policies, after converting the Cisco Time base policies we have seen empty time base object in our database but the policy is working fine. When I manually update that empty time base object or create a same time base object as per Cisco configuration and install the policy it impact the entire production and gateway start dropping all traffic.

It is bit urgent as customer have planned the roll out the migration tonight.

Libin_Thomas · ‎2017-07-18

we are testing in our lab for one of customer migration . will keep you all posted with the outcome.

Ravindra_Yadav · ‎2018-01-21

Hi Libin,

Could you please update lab test or customer migration experience from ASA to Checkpoint ?

Sebastian_Gxxx · ‎2017-07-27

Hello,

I am testing as well. On Smart Center R80.10 it works fine so far.

On MDS I have following issue:

running import scripts created by SmartMove the policy package has not been created:
message: “Runtime error: No permissions to create Policy Package with Access Control Policy.”

Logging in...

create package [Cisco-ASA5506-SGL2_policy]

mgmt_cli add package name "Cisco-ASA5506-SGL2_policy" threat-prevention "false" ignore-warnings true -s id.txt --user-agent mgmt_cli_smartmove

code: "generic_error"

message: "Runtime error: No permissions to create Policy Package with Access Control Policy."

Layers: Creating 4 sub-policies

create layer [OUTSIDE]

mgmt_cli add access-layer name "OUTSIDE" add-default-rule "false" ignore-warnings true -s id.txt --user-agent mgmt_cli_smartmove

code: "generic_error"

message: "Runtime error: An internal error has occurred."

Add rules to layer OUTSIDE

mgmt_cli add access-rule layer "OUTSIDE" source "any" destination "WWW-EXT" service "http" action "accept" track-settings.type "Log" position "bottom" custom-fields.field-1 "Matched NAT rule ((130) translated source: WWW-EXT, translated dest: original)" ignore-warnings true -s id.txt --user-agent mgmt_cli_smartmove

code: "generic_err_object_not_found"

message: "Requested object [Failed to find real id for fixed id '28fd2d79-f36d-40ae-a144-1800312acebb'] not found"

Ofir_Shikolski · ‎2017-07-27

I would check the follow:

1. API enabled

Access MDM with expert user and run:

# api status

2. Enable API to listen all interfaces

3. restart api :

Access MDM with expert user and run:

# api restart

--wait a few minutes that API will restart --

4. Verify API user does have proper permissions (you can use superuser )

5. Verify that you used the 'domain' option for SmartMove (Import to a domain)

sk115416 , Section 8.C

For Multi-Domain Security Management, in the "Import to a domain" field, enter the Domain name as it appears in SmartConsole
make sure you use the Domain name not the Domain Management Server name

As Yael recommended:

- Information about SmartMove is available on sk115416

- I will recommend review short video (4.29 min)

Converting Another Vendor’s Security Policy to Check Point is a SmartMove | Tech Bytes - YouTube

Ofir_Shikolski · ‎2017-07-27

The correct order for import :

1. objects

2. policy

3. policy_opt

Converting Another Vendor’s Security Policy to Check Point is a SmartMove | Tech Bytes - YouTube (1:56)

For the error:

mgmt_cli add access-rule layer "OUTSIDE" source "any" destination "WWW-EXT" service "http" action "accept" track-settings.type "Log" position "bottom" custom-fields.field-1 "Matched NAT rule ((130) translated source: WWW-EXT, translated dest: original)" ignore-warnings true -s id.txt --user-agent mgmt_cli_smartmove

code: "generic_err_object_not_found"

message: "Requested object [Failed to find real id for fixed id '28fd2d79-f36d-40ae-a144-1800312acebb'] not found"

Object does not exist :

Access-rule "OUTSIDE"

OR

Object "WWW-EXT"

You can do quick check , check for object "WWW-EXT"

In case it does not exist: we did not import objects OR objects import failed

Sebastian_Gxxx · ‎2017-07-28

Hello Ofir,

Thank you for the information. Your answer helped to find the solution:

In case you are using MDS you have to provide a Domain Name in SmartMove. “Import to a domain(optional):”

Let’s assume I want to import into “DomainServer1”:

Domain Name: Domain1

Server Name: DomainServer1

In this case I have to provide the domain name “Domain1” in SmartView.

It is working now.

Robert_Decker · ‎2017-09-17

A newer version of the tool (version 1.3.6428.23210) prevents running the generated scripts on MDS.

When encountering an issue with SmartMove, please make sure you use the latest version of the tool, as published in sk115416.

Robert_Decker · ‎2017-09-18

The latest binaries of SmartMove tool can be always downloaded from sk115416.

The latest source code, compatible with the latest tool version, can be always downloaded from SmartMove GitHub repo.

Please keep updated.

Sergei_Shir · ‎2017-10-19

sk115416 was updated:

Added instructions for migrating Juniper configuration
Improved design of this article
Added "Table of Contents"
Added "Revision History" section

Robert_Decker · ‎2017-11-02

Hi all,

Just released a new version of the tool - added a support for Juniper JunosOS and ScreenOS configurations.

Please refer to the sk115416.

Enjoy!

Tristan_Guilpin · ‎2018-11-29

Hi all,

I have started to use SmartMove (3_1_6871_28484) to migrate 2 Junipier JunOS 12.3 firewall. I did not yet tried to import the configuration to Security Management R80.20 but configuration shown in intermediate html files seems fine... except mainly 2 points which are a bit problematic in our case.

First point is how duplicate objects in different zone are handled. I agree that name must be unique, but if multiple occurrence of an object with the same name have the same IP address (network/range/...) definition, the way SmartMove script is currently working lead to create duplicate objects in Check Point base for the same IP address (network/range/...) with just a different suffix with zone name(s). I don't really see why SmartMove does not merge all such objects into only one.

Is their some specific reasons ? Could this behaviors be updated, with an option to choose to enable merge or not by example ?

My second point is how global policy is handled. If I understand correctly the global rules are duplicated into each sub-policy created for each zone and also added at the end of the policy. For me, this lead to many duplicated rules and it could be possible to only enforce the rules are the end of the policy to all (virtual) gateways to reach the same goal.

Again, is their some specific reasons for that ? Could this behaviors be updated, with an option to choose to duplicate global rules to each sub-policy or not by example ?

My last question is regarding the import of 2 JunOS configuration to the same Security Management. Assuming that the same name/IP address is used for some objects in the 2 configurations files, what will happened when importing the 2nd configuration ? Will import of duplicate objects failed (and non-duplicate succeed) but will the policy import succeed as the objects with the correct name would have been already created during import of the 1st policy ?

Sorry for the long post and really many thanks for your answer.

yael_haker · ‎2018-12-18

Hi,

thanks for your feedback

we plan to release a version that will know how to handle duplicated objects when using existing mgmt & global policy. this version will be available for Cisco during January 10th 2019 and for the rest of the vendors I hope by end of January 2019. please contact me directly if you want to get the version before it is officially released to test with your customers.

thanks

Yael

Tristan_Guilpin · ‎2018-12-19

Hi Yael,

Many thanks for your answer to my forum post. If it is possible I would be happy to test the new SmartMove release you are talking about on my Juniper SRX customer configurations and provide you a feedback regarding improvement.

Many thanks.

Tristan

yael_haker · ‎2018-12-19

Please contact me directly to yhaker@checkpoint.com

Thanks

Yael Haker

Customer Success and Pre-Sales Tools Manager

Check Point Software Technologies

Mobile: +972-5-3655929 | Office: +972-3-6115346

LaRockas · ‎2020-02-11

Hi ,

I find this post about smart move and i would like to ask you , if there is any update with the duplicate objects , when you import a policy .

Best Regards
Prodromos

Jeremiah_Meteko · ‎2018-12-18

Hi Team,

First of all great job on the tool, I think this will help most egineers for migrating to CheckPoint. One question left and still open though, are there plans for Palo Alto? It will help a lot of engineers/companies to get this.

PhoneBoy · ‎2018-12-18

PAN support for SmartMove is in the works, yes.

Hopefully it will be ready in the near future.

yael_haker · ‎2018-12-18

Hi,

We have SmartMove for Pan as EA version that we can share with customers who are willing to test it in their lab

Please contact me directly if you have customers/partners that wants to test the tool that we have

Thanks

Yael Haker

Customer Success and Pre-Sales Tools Manager

Check Point Software Technologies

Mobile: +972-5-3655929 | Office: +972-3-6115346

Jeremiah_Meteko · ‎2018-12-18

Hi Yael,

I will contact you as I am in a PAN migration at the moment and I do have a staging setup ready!

Chris_McGuire · ‎2019-02-04

Hi Yael. I also have a customer that is starting a PAN to Check Point migration and is interested in this tool. I will reach out to you via email to request the tool.

Fabrizio_Lingi · ‎2019-03-10

Hi,

I hope this comment finds you all in good shape, great tool!

Are there any plans to include support for the migration of Sonicwall firewalls?

Thanks in advance,

Fabrizio

Sven_Glock · ‎2019-05-10

Nice tool!

During my first dry run I recognized, that the result contains inline layers.

As I am not able to use layers in my policies due to different circumstances is there a chance to disable layers for the conversation?

Thanks in advance.

Cheers

Sven

Martin_Valenta · ‎2019-05-10

There is no option to disable inline layers creation..but if you cannot use it then just extract (copy/paste) rules from each inline layer to policy..

Durin · ‎2019-08-20

Hi

I have some issues converting Cisco ASA config, it is a 5515 cluster running version 9.12(2).

After conversion with Smartmove the policy output is just the cleanup rule.

Smartmove version 5.1.7078.13288

Anyone knows how i can check what the issue is ?

NAT and objects output seems to give some more output, however the NAT looks a bit messy...

Thanks!

Best Regards, Rickard

FedericoMeiners · ‎2019-09-15

@Durin
I had similar issues and solved it by modifing the enconding of the show running text file to UTF-8.

Hope it helps,

____________
https://www.linkedin.com/in/federicomeiners/

Mahipal_Singh · ‎2019-09-16

I have tried with UTF-8 but still having same issue.

SmartMove: Convert Cisco ASA Policy to Check Point

Unable to convert Fortigate config to Check Point

Smartmove and Cisco FTD

Smart Move - Not able to convert the ASA config

SmartMove July 2022 update

Forcepoint Migration

Are you a member of CheckMates?