This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
orion_son30
Contributor
‎2024-12-06 04:21 AM

SmartMove - Panorama

Hi,

 

I'm in a middle of a project that consists in migrating a Palo Alto cluster with vsys to Check Point VSX cluster. Regarding the network interfaces and routing it's all set and done, since I'm using the vsx_provisioning_tool to do the work. Regarding the rules, I was trying to use SmartMove, but I'm having a hard time to doing so.

The Palo Alto cluster is managed by a Panorama and the rules for each vsys consists of both shared and template policies. SmartMove is not being able to get the job done on this. I've already tried using an Export Panorama and devices config bundle on Panorama side and also an Export configuration version direct on the Palo Alto devices, but no luck. The first generates an error on the SmartMove. And second just gives an empty output, only with a generic cleanup rule for 2 of the 4 vsys.

Any suggestion or idea on this?

Kind regards,

César Santos

0 Kudos
5 Replies
the_rock
Legend
Legend
‎2024-12-06 05:24 AM

I always found when it comes to smartmove, its excellent converting from Cisco to CP, never an issue. When it comes to Fortigate and PAN conversion, its a different story. But honestly, most vendors are like that, you wont sadly find a tool that would do everything for you, since formats are totally different.

What my colleagues and I usually do is "dump" the outputs in notepad++ and then convert it according to format accepted by the vendor we are converting to. 

Now, when it comes to Check Point, you cant import .csv file containing all the rules (was possible back in R77 and before, but not since R80 sadly), so I would check if something could be done via API.

https://sc1.checkpoint.com/documents/latest/APIs/

Otherwise, I would contact Professional services to see if they can assist, as TAC would not be able to help with something like this.

Hope that helps.

Andy

0 Kudos
orion_son30
Contributor
‎2024-12-07 04:36 AM
In response to the_rock

Hi,

Yup, I've contacted the Professional Services team. Let's see what they say about this.

My alternative approach is to dump the objects and rules from Panorama or directly from the PA cluster to CSV files and then generate the API commands to be able to have the Policy Package for each Virtual System.

Kind Regards,

César Santos

the_rock
Legend
Legend
‎2024-12-07 04:55 AM
In response to orion_son30

That approach makes sense to me.

Andy

0 Kudos
the_rock
Legend
Legend
‎2024-12-07 05:19 AM
In response to orion_son30

I double checked in my labs (both R81.20 and R82) and dont sadly see any options to import any sort of csv files. I really hope that changes in the future, as it would make these things much easier when doing these sorts of conversions. 

Andy

0 Kudos
PhoneBoy
Admin
Admin
‎2024-12-09 06:55 AM
In response to the_rock

If you massage a CSV file into the right format, you can use the API to import a CSV file.
See also: https://community.checkpoint.com/t5/API-CLI-Discussion/CLI-API-Example-for-exporting-importing-and-d... 

Upcoming Events

    CheckMates Events