Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
PhoneBoy
Admin
Admin

SmartMove: Convert Cisco ASA Policy to Check Point

Check Point SmartMove tool enables you to convert 3rd party database with firewall security policy and NAT to Check Point database.

At the moment, the tool handles Cisco ASA (version 8.3 and above) configuration file and converts its objects, NAT and firewall policy to a Check Point R80.10 policy. The tool is planned to support additional vendors in the future.

Source is available on GitHub: SmartMove

37 Replies
Moti
Admin
Admin

Awesome

Plz also post in code library

0 Kudos
yael_haker
Employee Alumnus
Employee Alumnus

All the information you need about SmartMove is avaliable on sk115416

Mahipal_Singh
Employee
Employee

I am facing some issue while migrating the Cisco Configuration.

1. In case of large Object NATs in Cisco we are getting system out of memory error. 

clipboard_image_0.png

2. Another issue is with time base objects & policies, after converting the Cisco Time base policies we have seen empty time base object in our database but the policy is working fine. When I manually update that empty time base object or create a same time base object as per Cisco configuration and install the policy it impact the entire production and gateway start dropping all traffic.

It is bit urgent as customer have planned the roll out the migration tonight.

 

0 Kudos
Libin_Thomas
Contributor

we are testing in our lab for one of customer migration  . will keep you all posted with the outcome.

0 Kudos
Ravindra_Yadav
Participant

Hi Libin,

Could you please update lab test or customer migration experience from ASA to Checkpoint ?

0 Kudos
Sebastian_Gxxx
Contributor

Hello,

I am testing as well. On Smart Center R80.10 it works fine so far.

On MDS I have following issue:

running import scripts created by SmartMove the policy package has not been created:
message: “Runtime error: No permissions to create Policy Package with Access Control Policy.”


Logging in...

 

create package [Cisco-ASA5506-SGL2_policy]

 

mgmt_cli add package name "Cisco-ASA5506-SGL2_policy" threat-prevention "false" ignore-warnings true -s id.txt --user-agent mgmt_cli_smartmove

code: "generic_error"

message: "Runtime error: No permissions to create Policy Package with Access Control Policy."

 

Layers: Creating 4 sub-policies

create layer [OUTSIDE]

 

mgmt_cli add access-layer name "OUTSIDE" add-default-rule "false" ignore-warnings true -s id.txt --user-agent mgmt_cli_smartmove

code: "generic_error"

message: "Runtime error: An internal error has occurred."

 

Add rules to layer OUTSIDE

 

mgmt_cli add access-rule layer "OUTSIDE" source "any" destination "WWW-EXT" service "http" action "accept" track-settings.type "Log" position "bottom" custom-fields.field-1 "Matched NAT rule ((130) translated source: WWW-EXT, translated dest: original)" ignore-warnings true -s id.txt --user-agent mgmt_cli_smartmove

code: "generic_err_object_not_found"

message: "Requested object [Failed to find real id for fixed id '28fd2d79-f36d-40ae-a144-1800312acebb'] not found"

0 Kudos
Ofir_Shikolski
Employee
Employee

I would check the follow:

1. API enabled 

Access MDM with expert user and run: 

# api status 

2. Enable API to listen all interfaces

3. restart api :

Access MDM with expert user and run: 

# api restart 

--wait a few minutes that API will restart --

4. Verify API user does have proper permissions  (you can use superuser )

5. Verify that you used the 'domain' option for SmartMove (Import to a domain)

   sk115416 , Section 8.C

  •             For Multi-Domain Security Management, in the "Import to a domain" field, enter the Domain name as it             appears in SmartConsole
  •           make sure you use the Domain name not the Domain Management Server name

As Yael recommended:

- Information about SmartMove is available on sk115416

- I will recommend review short video (4.29 min) 

   Converting Another Vendor’s Security Policy to Check Point is a SmartMove | Tech Bytes - YouTube  

0 Kudos
Ofir_Shikolski
Employee
Employee

The correct order for import :

1. objects

2. policy

3. policy_opt 

Converting Another Vendor’s Security Policy to Check Point is a SmartMove | Tech Bytes - YouTube  (1:56)

For the error: 

mgmt_cli add access-rule layer "OUTSIDE" source "any" destination "WWW-EXT" service "http" action "accept" track-settings.type "Log" position "bottom" custom-fields.field-1 "Matched NAT rule ((130) translated source: WWW-EXT, translated dest: original)" ignore-warnings true -s id.txt --user-agent mgmt_cli_smartmove

code: "generic_err_object_not_found"

message: "Requested object [Failed to find real id for fixed id '28fd2d79-f36d-40ae-a144-1800312acebb'] not found" 

Object does not exist :

Access-rule "OUTSIDE"

OR

Object "WWW-EXT"

 

You can do quick check , check for object "WWW-EXT"

In case it does not exist:  we did not import objects OR objects import failed 

Sebastian_Gxxx
Contributor

Hello Ofir,

 

Thank you for the information. Your answer helped to find the solution:

In case you are using MDS you have to provide a Domain Name in SmartMove. “Import to a domain(optional):”

 

Let’s assume I want to import into “DomainServer1”:

Domain Name: Domain1

Server Name: DomainServer1

 

In this case I have to provide the domain name “Domain1” in SmartView.

It is working now.

Robert_Decker
Advisor

A newer version of the tool (version 1.3.6428.23210) prevents running the generated scripts on MDS.

When encountering an issue with SmartMove, please make sure you use the latest version of the tool, as published in sk115416.

Robert_Decker
Advisor

The latest binaries of SmartMove tool can be always downloaded from sk115416.

The latest source code, compatible with the latest tool version, can be always downloaded from SmartMove GitHub repo.

Please keep updated.

Sergei_Shir
Employee
Employee

sk115416 was updated:

  • Added instructions for migrating Juniper configuration
  • Improved design of this article
  • Added "Table of Contents"
  • Added "Revision History" section
Robert_Decker
Advisor

Hi all,

Just released a new version of the tool - added a support for Juniper JunosOS and ScreenOS configurations.

Please refer to the sk115416.

Enjoy!

Tristan_Guilpin
Explorer

Hi all,

  I have started to use SmartMove (3_1_6871_28484) to migrate 2 Junipier JunOS 12.3 firewall. I did not yet tried to import the configuration to Security Management R80.20 but configuration shown in intermediate html files seems fine... except mainly 2 points which are a bit problematic in our case.

  First point is how duplicate objects in different zone are handled. I agree that name must be unique, but if multiple occurrence of an object with the same name have the same IP address (network/range/...) definition, the way SmartMove script is currently working lead to create duplicate objects in Check Point base for the same IP address (network/range/...) with just a different suffix with zone name(s). I don't really see why SmartMove does not merge all such objects into only one.

Is their some specific reasons ? Could this behaviors be updated, with an option to choose to enable merge or not by example ?

 My second point is how global policy is handled. If I understand correctly the global rules are duplicated into each sub-policy created for each zone and also added at the end of the policy. For me, this lead to many duplicated rules and it could be possible to only enforce the rules are the end of the policy to all (virtual) gateways to reach the same goal.

Again, is their some specific reasons for that ? Could this behaviors be updated, with an option to choose to duplicate global rules to each sub-policy or not by example ?

  My last question is regarding the import of 2 JunOS configuration to the same Security Management. Assuming that the same name/IP address is used for some objects in the 2 configurations files, what will happened when importing the 2nd configuration ? Will import of duplicate objects failed (and non-duplicate succeed) but will the policy import succeed as the objects with the correct name would have been already created during import of the 1st policy ?

  Sorry for the long post and really many thanks for your answer.

yael_haker
Employee Alumnus
Employee Alumnus

Hi,

thanks for your feedback

we plan to release a version that will know how to handle duplicated objects when using existing mgmt & global policy. this version will be available for Cisco during January 10th 2019 and for the rest of the vendors I hope by end of January 2019. please contact me directly if you want to get the version before it is officially released to test with your customers. 

thanks

Yael

Tristan_Guilpin
Explorer

  Hi Yael,

  Many thanks for your answer to my forum post. If it is possible I would be happy to test the new SmartMove release you are talking about on my Juniper SRX customer configurations and provide you a feedback regarding improvement.

  Many thanks.

Tristan

0 Kudos
yael_haker
Employee Alumnus
Employee Alumnus

Please contact me directly to yhaker@checkpoint.com

Thanks

Yael Haker

Customer Success and Pre-Sales Tools Manager

Check Point Software Technologies

Mobile: +972-5-3655929 | Office: +972-3-6115346

LaRockas
Participant

Hi ,

I find this post about smart move and i would like to ask you , if there is any update with the duplicate objects , when you import a policy .

Best Regards
Prodromos
0 Kudos
Jeremiah_Meteko
Explorer

Hi Team,

First of all great job on the tool, I think this will help most egineers for migrating to CheckPoint. One question left and still open though, are there plans for Palo Alto? It will help a lot of engineers/companies to get this.

0 Kudos
PhoneBoy
Admin
Admin

PAN support for SmartMove is in the works, yes.

Hopefully it will be ready in the near future.

0 Kudos
yael_haker
Employee Alumnus
Employee Alumnus

Hi,

We have SmartMove for Pan as EA version that we can share with customers who are willing to test it in their lab

Please contact me directly if you have customers/partners that wants to test the tool that we have

Thanks

Yael Haker

Customer Success and Pre-Sales Tools Manager

Check Point Software Technologies

Mobile: +972-5-3655929 | Office: +972-3-6115346

Jeremiah_Meteko
Explorer

Hi Yael,

I will contact you as I am in a PAN migration at the moment and I do have a staging setup ready!

0 Kudos
Chris_McGuire
Explorer

Hi Yael.  I also have a customer that is starting a PAN to Check Point migration and is interested in this tool.  I will reach out to you via email to request the tool.

0 Kudos
Fabrizio_Lingi
Employee
Employee

Hi,

I hope this comment finds you all in good shape, great tool!

Are there any plans to include support for the migration of Sonicwall  firewalls?

Thanks in advance,

Fabrizio

0 Kudos
Sven_Glock
Advisor

Nice tool!

 

During my first dry run I recognized, that the result contains inline layers.

As I am not able to use layers in my policies due to different circumstances is there a chance to disable layers for the conversation?

 

Thanks in advance.

Cheers

Sven

 

0 Kudos
Martin_Valenta
Advisor

There is no option to disable inline layers creation..but if you cannot use it then just extract (copy/paste) rules from each inline layer to policy..

Durin
Contributor

Hi

I have some issues converting Cisco ASA config, it is a 5515 cluster running version 9.12(2).

After conversion with Smartmove the policy output is just the cleanup rule.

Smartmove version 5.1.7078.13288

Anyone knows how i can check what the issue is ?

NAT and objects output seems to give some more output, however the NAT looks a bit messy...

Thanks!

Best Regards, Rickard

0 Kudos
FedericoMeiners
Advisor

@Durin 
I had similar issues and solved it by modifing the enconding of the show running text file to UTF-8.

Hope it helps,

____________
https://www.linkedin.com/in/federicomeiners/
0 Kudos
Mahipal_Singh
Employee
Employee

I have tried with UTF-8 but still having same issue.

0 Kudos
Upcoming Events

    CheckMates Events