- CheckMates
- :
- Products
- :
- Quantum
- :
- SmartMove
- :
- Re: How to migrate Juniper configuration to Check ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to migrate Juniper configuration to Check Point R80 Management Server database?
How to migrate Juniper JunoOS / ScreenOS configuration to Check Point R80 Management Server database?
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Check Point SmartMove tool enables you to convert 3rd party database with firewall security policy and NAT to Check Point database.
At the moment, the tool parses Cisco ASA, Juniper JunosOS and ScreenOS configurations and converts its objects, NAT and firewall policy to a Check Point R80.10 compliant policy. The tool is planned to support additional vendors and security configurations in the future.
The tool generates bash scripts by utilizing Check Point Management API's command line interface, to migrate the converted policy into a R80.10 Management (or Multi-Domain) server.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Check Point SmartMove tool enables you to convert 3rd party database with firewall security policy and NAT to Check Point database.
At the moment, the tool parses Cisco ASA, Juniper JunosOS and ScreenOS configurations and converts its objects, NAT and firewall policy to a Check Point R80.10 compliant policy. The tool is planned to support additional vendors and security configurations in the future.
The tool generates bash scripts by utilizing Check Point Management API's command line interface, to migrate the converted policy into a R80.10 Management (or Multi-Domain) server.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Currently, the following Juniper configurations can be migrated:
Supported Gateway | Supported OS |
Juniper SRX Series | JunosOS version 12.1 and above |
Juniper SSG Series | ScreenOS version 6.3 (R19B/R22) and above |
Enjoy.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
i am trying to migrate from juniper cluster of 2 srx 650 ver 12.1x46-d35 .
i export the configuration with: show configuration | display xml | no-more
when i run the utility i get this error:
Could not parse configuration file.
Message:Data at the root level is invalid line 11640 position 1
Module: System.Xml
Class:XmlTextReaderlmpl
Methode:Throw
any help will be appreciate
Thanks
Yoram
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
It seems that the XML file is invalid.
Try to open it in Internet Explorer or any other XML viewer/editor.
Robert.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
thanks for your help
it was a problem with the xml file
now it work fine except of the nat translation
will try to fiure out way
thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you can explain what doesn't work with NAT, I'll try to assist.
robert.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm getting the same error. What exactly was the issue? I"ve never seen the xml file before so I don't know how to fix this error.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
The tool works great and has saved a lot of time for us. I just wanted to know since DIP configuration is not converted by smartmove. What NAT configuration will be appropriate to manually do this in Checkpoint?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I'll check this with our security experts and get back to you.
Robert.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
In the case of interface with dynamic IP configuration, which is not supported by the tool, you need to perform a pre-migration task - Replace DAIP interfaces with static IP addresses.
Later, post-migration, you can manually modify the generated NAT rules.
This is also mentioned in the accompanied SK -
Robert.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the reply. I did have to create the NAT rules manually after migration. But if there was DIP NAT in juniper, do I have to create an ip pool NAT in Checkpoint.
Basically a comparison of NAT methods in juniper and their equivalent in checkpoint would be really helpful.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IP pool NAT can be an option, but I'll give you an authorized answer from our NAT team members tomorrow.
Regarding the NAT comparison, please take a look at this -
https://www.51sec.org/2015/07/checkpoint-nat-concepts-and-server-side-nat-explanation/
Robert.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I've checked with our NAT experts, and they suggest using dynamic objects as a source/destination in your NAT rule.
Then, go to your gateway and run "dynamic_objects" command to configure the IP addresses.
Robert.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the update Robert.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No problem. Does it make sense for your configuration?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It does make sense. But I have noticed in the current juniper configuration that although DIP is configured it just has one one IP in the pool.
Eg. set interface ethernet1/1 ext ip 10.10.xx.xx 255.255.255.224 dip 9 192.168.1.1 192.168.1.1
In this case i dont have to use Dynamic Object in NAT rule but just a manual Hide NAT Rule.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes, you are correct.