Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Shay_Levin
Admin
Admin

New -Easy Migration from Azure Firewall to Check Point

Hi All, 

I’m happy to share a small PowerShell script that will save you a ton of time when you decide to switch from Azure Firewall to Check Point CloudGuard Network Security.

The script will export your firewall policies on Azure, including all of its objects, to multiple CSV files.

Then, import the CSV files to your Check Point management machine.

At the end of the process, you will get all the objects and policies created on the Check Point management machine.

Depending on your policy size on Azure, the entire process, end to end, should not take more than 10 minutes.

The PowerShell script is attached to the end of the post.

Here is a quick how-to guide (At the end of this guide, you will also find a tutorial video)

On the Azure Firewall, I have a firewall policy with two rule collections.

CollectionGroup1 and Collectiongruop2. Each rule collection consists of two rule sets: one network rule collection and one Application Rule collection.

Shay_Levin_2-1704380597090.png

 

2.png

 

 

When you run the PowerShell script, you will need to run it against one collection group.

I will run it against collectiongroup2.

Copy the PowerShell script to Notepad++, and replace the values in rows 2 , 3, and 4

The $fpname value should be replaced with the policy name.

The $fprg value should be replaced with the policy resource group.

The $fprcgname should be replaced with the collection group name.

Shay_Levin_4-1704380597099.png

Shay_Levin_5-1704380597101.png

Shay_Levin_6-1704380597103.png

Set your Check Point management username and password on rows 6 & 7.

2.png

Create a folder C:\temp\export

Save the file with the name fwexport.ps1 to the new Folder, and make sure the extension is ps1.

Shay_Levin_7-1704380597104.png

Open PowerShell and log in to your Azure Tenet ( Connect-AzAccount –Tenant ‘tenant-id’ )

Shay_Levin_8-1704380597105.png

Shay_Levin_9-1704380597106.png

Switch the directory to C:\temp\export

Shay_Levin_10-1704380597106.png

Run the PowerShell script

The script will export the policy and create a tar file with multiple CSV files in it that include all the required objects. ( be patient it might take a few minutes ….)

Shay_Levin_11-1704380597107.png

3.png

 

 

 

 

 

 

 

 

Two files will be created, *.tar & *.sh

4.png

Copy the two files to the home folder of the Check Point management machine.

5.png

 

 

 

 

 

 

 

 

 

Open SSH to the Check Point management machine ( switch to expert mode ) and run the command:  bash collectiongroup2.sh

6.png

The script will extract the tar file and import each one of the CSV files.

7.png

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

** If you prefer to import each file manually, you can extract the tar file and run the command below in the following order:

mgmt_cli add host --batch collectiongroup2-hosts-migrate.csv

mgmt_cli add network --batch collectiongroup2-subnets-migrate.csv

mgmt_cli add address-range --batch collectiongroup2-ipranges-migrate.csv

mgmt_cli add dns-domain --batch collectiongroup2-fqdn-migrate.csv

mgmt_cli add group --batch collectiongroup2-ipgroups-migrate.csv

mgmt_cli add access-layer --batch collectiongroup2-layernames-migrate.csv

mgmt_cli set host --batch collectiongroup2-hosts-with-groups-migrate.csv

mgmt_cli set network --batch collectiongroup2-subnets-with-groups-migrate.csv

mgmt_cli set address-range --batch collectiongroup2-ipranges-with-groups-migrate.csv

mgmt_cli add access-rule --batch collectiongroup2-transformed.csv

Shay_Levin_15-1704380597113.png

Shay_Levin_16-1704380597114.png

Once all the CSV files have been imported, Open SmartConsole and open Policies & Layers with ‘Ctrl+o’

Click on the Layers tab, and you will see on the right pane the two new layers that have been imported (test1 and appcollection1)

Shay_Levin_17-1704380597115.png

Right-click on each layer and open it in a new tab.

Shay_Levin_18-1704380597117.png

Now, you can use this layer or just copy multiple rules from one layer to a different policy or different layer.

3.png

Limitations:

  1. In the Azure Policy, the list below outlines the destination port numbers for the Network Rule Collection and the protocols for the Application Rule Collection that will undergo translation:

2.png

 

 

 

 

 

 

 

 

 

 

 

 

Feel free to edit the script and adjust this list per your needs.

  1. On Azure Policy, The Destination Type: ‘Service Tag’  in the Network Rule Collection will not be translated; in this case, the destination in the Check Point policy will be ‘none’
  2. On Azure Policy, Destination Type: ‘FQDN Tag’  and ‘Web Categories’ in the Application Rule Collection will not be translated; in this case, the destination in the Check Point policy will be ‘none.’
  3. On Azure Policy, DNAT Rules – Export is not supported at this stage.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

(4)
8 Replies
jmaresky
Employee
Employee

Great work @Shay_Levin !

 

"I’m happy to share a small PowerShell script that will save you a ton of time when you decide to switch from Azure Firewall to Check Point CloudGuard Network Security."

0 Kudos
the_rock
Legend
Legend

@Shay_Levin Just curious, is this officially supported by TAC in case process does not work as expected?

Best,

Andy

(1)
Shay_Levin
Admin
Admin

Hi,

TAC does not support it, but anyone with an issue can post here or message me directly.

(1)
the_rock
Legend
Legend

Great, thats fair, thanks very much.

Best,

Andy

0 Kudos
the_rock
Legend
Legend

Another quick question, sorry...does the script support importing ALL kinds of rules or ONLY security rules?

Any idea?

Andy

Shay_Levin
Admin
Admin

Security rules and application rules are supported.

The above two are heavy-lifting; the DNAT Rules, Threat Intelligence, and IDPS will not require much time to convert manually if needed.

the_rock
Legend
Legend

Got it, thanks a lot. Sorry for all my questions.

Best,

Andy

0 Kudos
Wil_S
Contributor

Great Work !!! Amazing Post 😎

(1)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.