How to migrate Juniper JunoOS / ScreenOS configuration to Check Point R80 Management Server database?
Check Point SmartMove tool enables you to convert 3rd party database with firewall security policy and NAT to Check Point database.
At the moment, the tool parses Cisco ASA, Juniper JunosOS and ScreenOS configurations and converts its objects, NAT and firewall policy to a Check Point R80.10 compliant policy. The tool is planned to support additional vendors and security configurations in the future.
The tool generates bash scripts by utilizing Check Point Management API's command line interface, to migrate the converted policy into a R80.10 Management (or Multi-Domain) server.
See also sk115416 - How to migrate a competitor's database to Check Point with SmartMove.
Currently, the following Juniper configurations can be migrated:
i am trying to migrate from juniper cluster of 2 srx 650 ver 12.1x46-d35 .
i export the configuration with: show configuration | display xml | no-more
when i run the utility i get this error:
Could not parse configuration file.
Message:Data at the root level is invalid line 11640 position 1
any help will be appreciate
It seems that the XML file is invalid.
Try to open it in Internet Explorer or any other XML viewer/editor.
thanks for your help
it was a problem with the xml file
now it work fine except of the nat translation
will try to fiure out way
If you can explain what doesn't work with NAT, I'll try to assist.
The tool works great and has saved a lot of time for us. I just wanted to know since DIP configuration is not converted by smartmove. What NAT configuration will be appropriate to manually do this in Checkpoint?
I'll check this with our security experts and get back to you.
In the case of interface with dynamic IP configuration, which is not supported by the tool, you need to perform a pre-migration task - Replace DAIP interfaces with static IP addresses.
Later, post-migration, you can manually modify the generated NAT rules.
This is also mentioned in the accompanied SK -
Thanks for the reply. I did have to create the NAT rules manually after migration. But if there was DIP NAT in juniper, do I have to create an ip pool NAT in Checkpoint.
Basically a comparison of NAT methods in juniper and their equivalent in checkpoint would be really helpful.
IP pool NAT can be an option, but I'll give you an authorized answer from our NAT team members tomorrow.
Regarding the NAT comparison, please take a look at this -
I've checked with our NAT experts, and they suggest using dynamic objects as a source/destination in your NAT rule.
Then, go to your gateway and run "dynamic_objects" command to configure the IP addresses.
Thanks for the update Robert.
No problem. Does it make sense for your configuration?
It does make sense. But I have noticed in the current juniper configuration that although DIP is configured it just has one one IP in the pool.
Eg. set interface ethernet1/1 ext ip 10.10.xx.xx 255.255.255.224 dip 9 192.168.1.1 192.168.1.1
In this case i dont have to use Dynamic Object in NAT rule but just a manual Hide NAT Rule.
yes, you are correct.
Retrieving data ...