Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Larry_Birch
Contributor

SonicWall Migration

Has anyone had any experience in migrating SonicWall policies into Check Point?  How do this as easily as possible, and lessons learned.  I understand that SmartMove will not work. 

 

Thank you.

10 Replies
Nick_Doropoulos
Advisor

Hi Larry,

I have migrated configuration from SonicWalls into Check Point firewalls and the process I went through consisted of the following steps:

1) Export the configuration from the SonicWalls.

2) Break up the data into distinctive sections (i.e. policies, nat rules, objects etc.).

3) Sort out the data in Excel and save the resulting files in csv format.

4) Bulk import everything via the management api.

I can appreciate that the above list is only a "crude" way of going about it but that is the process I went through in the absence of SmartMove compatibility. I'm happy to provide you with more information about each step if you like and I would be more than happy to hear a better method to follow with regards to the migration in question.

I hope this helps.

 

Xterminator
Participant

Hello Nick,

I'm about to get involved in a similar activity, and I found this post.

I'd appreciate it if you could give a few more details, especially regarding the "breaking up the data into distinctive sections". Also if you happen to maybe have a script, in order to automate this task, it would be greatly appreciated.

Thanks a lot

0 Kudos
Nick_Doropoulos
Advisor

Hello Xterminator,

Of course, no problem 🙂

May I ask what is the version of the Check Point manager and firewall you are working with?

Thanks.

0 Kudos
Xterminator
Participant

Hi Nick, thanks for your availability. 🙂

At the moment I'm working with an R80.30 management server with a dedicated log server. It manages a VSX environment with various clusters, running the same version.

 

Thanks a lot,

Alessandro

0 Kudos
Jerry
Mentor
Mentor

as an ex SonicWALL employee I'd say - don't do that!
I tried many times and always ended up doing things again from scratch. there is no simple path for it it is a painful way via XLS/CSV files and XLM imports. Not worth it. SMB vendors won't cope well with Enterprise one. Trust me on that!
Jerry
0 Kudos
Xterminator
Participant

Hi Jerry, thanks for your input. I'm not afraid to do things the "hard way": I just wanted an input on how to do this migration as better as possible, if there were an automated approach, the better 😉

 

Thanks and Regards,
Alessandro

0 Kudos
Jerry
Mentor
Mentor

hi Alessandro, I was actually replying to the original post from Larry 🙂 But I do appreciate where you coming from.

Best of luck.
Jerry
0 Kudos
Nick_Doropoulos
Advisor

Hi Alessandro,

Please find below the documentation I created and followed a while ago in order to assist a customer with their migration from a SonicWall to a Check Point estate:

 

Preparing the Management API

Since the bulk of the migration will be carried out via Check Point’s api, the status of the api console will need to be confirmed.

1) Connect to the command line of the SMS (Security Management Server).

2)  Log in to Expert mode.

3) [Expert@HostName]# api status (it should say “API readiness test SUCCESSFUL”).

4) Ensure that the machine you have accessed the SMS from is a trusted client by navigating to Manage & Settings >> Blades >> Management API >> Management API Settings and select the appropriate option followed by “OK”.

 
 

Checkmates1.PNG

 

 

5) Ensure that there are no other api tasks currently running to avoid any conflicts by running the command below:

[Expert@HostName]#  mgmt_cli -r true show tasks status "in-progress" (it should say “total:0”).

 

Transferring the Migrated Data

 

With a tool such as WinSCP, please transfer the CSV files provided to the Security Management Server.

 

Importing the Objects

 

To import the objects, please run the following commands in the order written below:

[Expert@HostName]#  mgmt_cli add host --batch host-objects.csv

[Expert@HostName]#  mgmt_cli add network --batch network-objects.csv

[Expert@HostName]#  mgmt_cli add security-zone --batch security-zones.csv

[Expert@HostName]#  mgtmt_cli add address-range --batch address-range-objects.csv

[Expert@HostName]#  mgmt_cli add group --batch group-objects.csv

[Expert@HostName]#  mgmt_cli add service-tcp --batch service-objects.csv

 

Importing the Firewall Policy

 

It is important to note that the previous commands must not return any errors during the import process. Any errors encountered have to be addressed before proceeding further as the firewall policies will not be imported successfully. To that end, please publish the changes now:

Checkmates2.PNG

 

 

Assuming the previous steps have been followed without any issues, please run the following command:

[Expert@HostName]# mgmt_cli add access-rule –batch firewall-policy.csv

 

Importing the NAT Policy

 

[Expert@HostName]# mgmt_cli add nat-rule –batch nat-policies.csv

 

Creating the RemoteSite Policy Package

 

[Expert@HostName]#  mgmt_cli add package name "RemoteSite"

 

Importing the RemoteSite Objects

 

[Expert@HostName]#  mgmt_cli add host --batch host-objects-rs.csv

[Expert@HostName]#  mgmt_cli add network --batch network-objects-rs.csv

[Expert@HostName]#  mgtm_cli add address-range --batch address-range-objects-rs.csv

[Expert@HostName]#  mgmt_cli add group --batch group-objects-rs.csv

[Expert@HostName]#  mgmt_cli add service-tcp --batch service-group-objects-rs.csv

 

Importing the RemoteSite Firewall Policy

 

It is important to note that the previous commands must not return any errors during the import process. Any errors encountered have to be addressed before proceeding further as the firewall policies will not be imported successfully. To that end, please publish the changes now:

 

 

[Expert@HostName]# mgmt_cli add access-rule –batch firewall-policy-rs.csv

 

Importing the RemoteSite NAT Policy

 

[Expert@HostName]# mgmt_cli add nat-rule –batch nat-policies-rs.csv

 

Migrating Interfaces

 

SonicWall interfaces begin with the 'X' character in their names. To make the migration possible, the 'X' character has been replaced with Check Point's counterpart naming convention (eth) across all data.

 

1) Connect to the command line of the GW.

2)  Log in to Expert mode.

3) Transfer the headoffice-interfaces file provided to the GW.

4) Convert the transferred plain-text file from DOS format to UNIX format:

[Expert@HostName]# dos2unix /some_path_to/file_with_configuration

5) Import the configuration from the plain-text file:

[Expert@HostName]# clish -s -f /some_path_to/file_with_configuration

6) List the interfaces configuration:

[Expert@HostName]# clish -c "show configuration interface"

7) Save the configuration:

[Expert@HostName]# clish -c "save config"

 

Post-Migration Tasks

 

1) Change the port numbers and protocol types of all custom services. Based on the data provided, it was unknown what port number and what protocol type (tcp, udp, etc.) each service was initially associated with.  

2) Since the migrated rule bases are based on Security Zones, the workflow below will have to be followed from Step 2 onwards:

 

  1. Define Security Zone objects. Or, use the predefined Security Zones.
  2. Assign Gateway interfaces to Security Zones.
  3. Use the Security Zone objects in the Source and Destination of a rule. For example:

Source

Destination

VPN

Service

Action

 

InternalZone

ExternalZone

Any Traffic

Any

Accept

 

  1. Install the Access Control Policy.

 

3) Based on the data provided, it was unclear for us to determine which firewall rules in particular should have logging enabled. As such, ALL firewall rules will have logging enabled.

4) Based on the data provided, it was unclear which services should be members of the service groups involved. As such, all service groups should be checked and populated correctly.

5) Identify which objects have not been migrated (if any).

 

Troubleshooting

 

Should you encounter any errors while trying to execute one of the api commands, please re-direct the output to a text file.

For instance, if you get an error when running the command below,

[Expert@HostName]#  mgmt_cli add service-tcp --batch service-group-objects.csv

Run it again like so:

[Expert@HostName]#  mgmt_cli add service-tcp --batch service-group-objects.csv > errors.txt

And then provide us with the errors.txt file.

 

References

https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.1%20

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

https://sc1.checkpoint.com/documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_SecurityManagement_AdminG...

 

I hope this helps.

 

Let me know if you have any questions.

Nick

Xterminator
Participant

Hi Nick,

Thanks so much for your explanation and your level of detail, which I appreciate a lot. Luckily, having the APIs at my disposal makes the job A LOT easier 🙂

A couple more questions, if it's not too much to ask:

1) I see that during the imports of the objects/rulesets a CSV file is being used, but do you have a hint on how to generate this file?

I extracted a XML file from the SonicWall firewall, which appears to contain all the objects and rulesets (from the "Diagnostics"/"Download Report" section): may I work starting from this file? From this, I believe I could create a script which isolates all objects, networks, rulesets, etc...

2) Maybe it's a trivial question (if so, sorry for asking), but what is the point of importing the objects, groups, services, etc... 2 times into the management server? (one of them is listed as RemoteSite).

Thanks a lot again for all your effort,

Alessandro

0 Kudos
Chris_McGuire
Explorer

Hi Nick. I am currently working on a similar migration. Your steps make sense, but I would like to know if it would be possible to obtain the scripts you used to generate the various CSVs. Thank you for your assistance.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events