 | ||
 Announcing Confwiz | ||
| CPUG | |
| The Check Point User Group | |
| A Resource For The Check Point Community. Fast. Useful. Independent. | |
|
| |||||||
 |
| | LinkBack | Thread Tools | Display Modes |
 2009-05-06 | |||
| |||
 Announcing Confwiz We're happy to announce the public availability of the new tool for advanced operations on Security Management configurations – Check Point Confwiz. Check Point Confwiz provides a framework for: Migration of Security Configuration from Cisco PIX, FWSM to Check Point Security Gateways Gain confidence in opportunities to replace existing Cisco firewalls with Check Point Security Gateways. Check Point Confwiz allows you to execute the tedious error-prone task of migrating a Cisco PIX / FWSM firewall to a Check Point firewall in 20% of the time. Batch operations on the Check Point database Enhance customers’ configuration manageability with Confwiz’s open format XML which allows you to carryout batch operations easily and efficiently. For more information on what Confwiz can do for you and for our customers, visit Confwiz’s home page at: http://supportcontent.checkpoint.com...ons?id=sk41719  |
| 2009-05-06 | |||
| |||
| Re: Announcing Confwiz Will this do standard Cisco router ACLs - not just PIX rules? CheckPoint Professional services has a tool and were offering to convert our 3000 lines of ACLs into CheckPoint obects, rules etc. (of course it would take 5 days for them to do that $$) They would not let us have the tool. I'm wondering if this is the tool they were planning to use. |
| 2009-05-07 | |||
| |||
| Re: Announcing Confwiz Quote:
Confwiz tool - Migrate configuration from Cisco Pix to Checkpoint |
| 2009-05-08 | |||
| |||
| Re: Announcing Confwiz This will not import PIX 7.x or 8.x configurations. Right now it is limited to PIX 6.3 (seen one of those lately?) and FWSM 2.3. I would look at this as more of an Ofiller/Odumper offering by Check Point. |
| 2009-05-10 | |||
| |||
| Re: Announcing Confwiz Hi all, Officially, Confwiz supports PIX 6.3 and FWSM 2.3. These are the platforms that were tested and Confwiz’s output was verified to be correct. Taking into consideration the structure of Cisco configuration files, Confwiz will be able to parse and convert newer versions of Cisco firewalls, such as PIX 7.x, ASA 7.x, FWSM 3.x and so on. The following must be taken into account when performing a migration from a newer version: 1. You must verify that there are no functionality differences between the newer version and the supported version in respect to the Cisco commands that Confwiz parses (listed in the Confwiz Installation and Admin Guide). For example, if there is some type of implied rules mechanism (such as in PIX 6.x) or the commands behave differently in any other means, then they may be converted incorrectly. Note that you can follow the conversion logic in the audit file under the log/ subdirectory. 2. The Cisco commands syntax that Confwiz recognizes is that of PIX 6.3 and FWSM 2.3, thus you must manually manipulate the commands of the newer version to appear like the older commands when applicable. For example, ASA allows you to add a description to the name command. PIX 6.3 and FWSM 2.3 don’t. Thus, configurations which have a name command with a description won’t be parsed by Conwiz. In this case, you can just remove the description from the name command. As for most commands, the syntax is the same and thus no manipulation will need to be performed. To sum it up, officially no other versions of Cisco firewalls are currently supported. Technically, in cases where there are no major differences between the version of the Cisco firewall that you want to migrate and a Cisco PIX 6.3 of FWSM 2.3, then with minimal configuration tweaks, ConfWiz can perform an initial conversion, saving a lot of time and manual effort. In these cases, please pay more attention to the conversion audit log and convert the remainder of the configuration manually. If you perform such migrations with Confwiz, we will be more than happy to hear about your experience and changes that you’ve made to the configurations. |
| 2009-05-11 | |||
| |||
| Re: Announcing Confwiz This is a welcomed announcment but a bit disapointed it does not officially support 7.x and 8.x There are many differences between 6.3 and 7.x in how commands are applied Guide for Cisco PIX 6.2 and 6.3 Users Upgrading to Cisco PIX Software Version 7.0 - Cisco Systems I would also be interested to see how other people find this tool. __________________ tdvit CCSA CCSE |
| 2009-05-11 | |||
| |||
| Re: Announcing Confwiz I fully understand your feedback. This is the first release and we'll continue to extend the supported platform; nevertheless, we do not support each and every Cisco command, but try to cover the most meaningful and common ground. Even though there are changes between the versions, most of the current commands supported by Confwiz are left intact. * We do parse the interface configuration mode (ip address, nameif and security-level) in both 6.x and 7.x format. |
| 2009-05-20 | |||
| |||
| Re: Announcing Confwiz Quote:
__________________ Its all in the documentation. |
| 2009-06-25 | |||
| |||
| Beta Version I consider this confwiz as a beta version. Check Point has to work hard and quick to support Cisco latest versions. Cisco has a converting tool for years supporting Check Point versions from 4.x to NGX! |
| 2009-06-25 | |||
| |||
| Re: Beta Version Quote:
I've used Cisco conversion tool from Checkpoint over to Cisco migration as early as 2005. The conversion tool is essentially useless, and yet this come from someone who works with both CP and Cisco on a daily basis. The conversion is full errors and the time you need to fix those, you wish you would go back and mannually convert the rule. I have NOT looked at the checkpoint confwiz tool yet but if I have to guess, I would say that it would fall into the same category as the conversion tool that Cisco produced. These tools may be useful if you have simple migrations. For complex migration senarios, these tools are essentially useless. just my 2c. |
| 2009-06-26 | |||
| |||
| Re: Announcing Confwiz Check Point and Cisco have major differences in the way of managing network security. Due to those changes, there will probably never be a fully automated tool that converts between the two. Having said that, the question remains how to make the migration as less painful as possible. One of Confwiz's huge advantages is first of all in automating objects creation. This conserves a great deal of time and prevents human errors (just think of manually creating 5,000 hosts/networks). Some data, such as VPN communities, is not imported; however security Rules are imported as well as NAT configuration. Of course they needs to be carefully reviewed and probably can be optimized, but almost everything is created for you automatically. I suggest giving it a test drive before associating it to the same category as the Cisco conversion tool. |
|
| Thread Tools | |
| Display Modes | |
| |
Linear Mode
