Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
idc
Explorer
Jump to solution

Smartmove not optimizing cisco asa policy

We are moving from cisco ASA to checkpoint. We are using checkpoint smartmove tool to convert existing cisco asa configuration to checkpoint. But the smartmove does not optimize the the rules. Kindly see attached pic for more details.

0 Kudos
1 Solution

Accepted Solutions
Ofir_Shikolski
Employee Alumnus
Employee Alumnus

SmartMove does optimize the policy 🙂

you can review the comments on the code:

https://raw.githubusercontent.com/CheckPointSW/SmartMove/master/CheckPointObjects/RuleBaseOptimizer....

 

 /// <summary>
    /// Optimizes the security policy rulebase by merging several rules from the same sub-policy into a single rule.
    /// Two rules can be merged into one rule if:
    ///    1. both rules have the same action, and
    ///    2. both rules are enabled or disabled, and
    ///    3. both rules have source and destination columns negated or not, and
    ///    4. both rules have the same time objects, and
    ///    5. either one of the following is true:
    ///       5.1. both the source and destination columns match
    ///       5.2. both the source and service columns match
    ///       5.3. both the destination and service columns match
    /// for CiscoASA and FirePower vendors there is an option to optimize by comments -
    /// two rules can be merged if they have the same comments and in addition they up to the above criteria.
    /// </summary>

you will need to uncheck the optimized by comments in your case .

 

View solution in original post

4 Replies
_Val_
Admin
Admin

SmartMove is not policy optimization tool, it is a migration tool. 

0 Kudos
Ofir_Shikolski
Employee Alumnus
Employee Alumnus

SmartMove does optimize the policy 🙂

you can review the comments on the code:

https://raw.githubusercontent.com/CheckPointSW/SmartMove/master/CheckPointObjects/RuleBaseOptimizer....

 

 /// <summary>
    /// Optimizes the security policy rulebase by merging several rules from the same sub-policy into a single rule.
    /// Two rules can be merged into one rule if:
    ///    1. both rules have the same action, and
    ///    2. both rules are enabled or disabled, and
    ///    3. both rules have source and destination columns negated or not, and
    ///    4. both rules have the same time objects, and
    ///    5. either one of the following is true:
    ///       5.1. both the source and destination columns match
    ///       5.2. both the source and service columns match
    ///       5.3. both the destination and service columns match
    /// for CiscoASA and FirePower vendors there is an option to optimize by comments -
    /// two rules can be merged if they have the same comments and in addition they up to the above criteria.
    /// </summary>

you will need to uncheck the optimized by comments in your case .

 

_Val_
Admin
Admin

Oookay, I stand corrected. You can also see that it made 15k rules out of over 28k original records. Let's say, it can consolidate the original policy, but only to some extent.

0 Kudos
Ofir_Shikolski
Employee Alumnus
Employee Alumnus

The policy is always optimized for Check Point products.

There are two steps:

  1. Convert the policy.

  2. Optimize the policy - this can result in up to a 70%+ improvement in efficiency compared to the converted policy (The logic is based on Check Point's Smart Optimized utility).

There are scenarios where the converted policy cannot be further optimized.

0 Kudos
Upcoming Events

    CheckMates Events