This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
idc
Explorer
‎2023-09-19 10:16 PM
Jump to solution

Smartmove not optimizing cisco asa policy

We are moving from cisco ASA to checkpoint. We are using checkpoint smartmove tool to convert existing cisco asa configuration to checkpoint. But the smartmove does not optimize the the rules. Kindly see attached pic for more details.

cisco.png
Preview file
50 KB
0 Kudos
1 Solution

Accepted Solutions
Ofir_Shikolski
Employee Alumnus
Employee Alumnus
‎2023-09-20 12:37 AM
Jump to solution

SmartMove does optimize the policy 🙂

you can review the comments on the code:

https://raw.githubusercontent.com/CheckPointSW/SmartMove/master/CheckPointObjects/RuleBaseOptimizer....

 

 /// <summary>
    /// Optimizes the security policy rulebase by merging several rules from the same sub-policy into a single rule.
    /// Two rules can be merged into one rule if:
    ///    1. both rules have the same action, and
    ///    2. both rules are enabled or disabled, and
    ///    3. both rules have source and destination columns negated or not, and
    ///    4. both rules have the same time objects, and
    ///    5. either one of the following is true:
    ///       5.1. both the source and destination columns match
    ///       5.2. both the source and service columns match
    ///       5.3. both the destination and service columns match
    /// for CiscoASA and FirePower vendors there is an option to optimize by comments -
    /// two rules can be merged if they have the same comments and in addition they up to the above criteria.
    /// </summary>

you will need to uncheck the optimized by comments in your case .

 

View solution in original post

4 Replies
_Val_
Admin
Admin
‎2023-09-19 11:29 PM
Jump to solution

SmartMove is not policy optimization tool, it is a migration tool. 

0 Kudos
Ofir_Shikolski
Employee Alumnus
Employee Alumnus
‎2023-09-20 12:37 AM
Jump to solution

SmartMove does optimize the policy 🙂

you can review the comments on the code:

https://raw.githubusercontent.com/CheckPointSW/SmartMove/master/CheckPointObjects/RuleBaseOptimizer....

 

 /// <summary>
    /// Optimizes the security policy rulebase by merging several rules from the same sub-policy into a single rule.
    /// Two rules can be merged into one rule if:
    ///    1. both rules have the same action, and
    ///    2. both rules are enabled or disabled, and
    ///    3. both rules have source and destination columns negated or not, and
    ///    4. both rules have the same time objects, and
    ///    5. either one of the following is true:
    ///       5.1. both the source and destination columns match
    ///       5.2. both the source and service columns match
    ///       5.3. both the destination and service columns match
    /// for CiscoASA and FirePower vendors there is an option to optimize by comments -
    /// two rules can be merged if they have the same comments and in addition they up to the above criteria.
    /// </summary>

you will need to uncheck the optimized by comments in your case .

 

_Val_
Admin
Admin
‎2023-09-20 12:42 AM
In response to Ofir_Shikolski
Jump to solution

Oookay, I stand corrected. You can also see that it made 15k rules out of over 28k original records. Let's say, it can consolidate the original policy, but only to some extent.

0 Kudos
Ofir_Shikolski
Employee Alumnus
Employee Alumnus
‎2023-09-20 12:49 AM
In response to _Val_
Jump to solution

The policy is always optimized for Check Point products.

There are two steps:

  1. Convert the policy.

  2. Optimize the policy - this can result in up to a 70%+ improvement in efficiency compared to the converted policy (The logic is based on Check Point's Smart Optimized utility).

There are scenarios where the converted policy cannot be further optimized.

0 Kudos
Upcoming Events

    Sort by:
    In-Person

    Tue 18 Mar 2025 @ 09:30 AM (EET)

    CheckMates Live Greece
    In-Person

    Tue 25 Mar 2025 @ 09:00 AM (EDT)

    Canada In-Person Cloud Security with Hands-On CloudGuard Workshops!
    In-Person

    Tue 25 Mar 2025 @ 12:00 PM (MDT)

    Salt Lake City: CPX 2025 Recap
    In-Person

    Tue 08 Apr 2025 @ 12:00 PM (MDT)

    Denver: CPX 2025 Recap
    CheckMates Events
    li.common.scroll-to.top