CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 14 of 14

Thread: Announcing Confwiz

  1. #1
    Join Date
    2005-08-29
    Location
    Upstate NY
    Posts
    2,720
    Rep Power
    16

    Default Announcing Confwiz

    We're happy to announce the public availability of the new tool for advanced operations on Security Management configurations – Check Point Confwiz.



    Check Point Confwiz provides a framework for:

    Migration of Security Configuration from Cisco PIX, FWSM to Check Point Security Gateways
    Gain confidence in opportunities to replace existing Cisco firewalls with Check Point Security Gateways.

    Check Point Confwiz allows you to execute the tedious error-prone task of migrating a Cisco PIX / FWSM firewall to a Check Point firewall in 20% of the time.

    Batch operations on the Check Point database
    Enhance customers’ configuration manageability with Confwiz’s open format XML which allows you to carryout batch operations easily and efficiently.





    For more information on what Confwiz can do for you and for our customers, visit Confwiz’s home page at:

    http://supportcontent.checkpoint.com...ons?id=sk41719

  2. #2
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,494
    Rep Power
    17

    Default re: Announcing Confwiz

    You beat me to it :)

  3. #3
    Join Date
    2006-05-24
    Posts
    6
    Rep Power
    0

    Default Re: Announcing Confwiz

    Will this do standard Cisco router ACLs - not just PIX rules? CheckPoint Professional services has a tool and were offering to convert our 3000 lines of ACLs into CheckPoint obects, rules etc. (of course it would take 5 days for them to do that $$) They would not let us have the tool. I'm wondering if this is the tool they were planning to use.

  4. #4
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,494
    Rep Power
    17

    Default Re: Announcing Confwiz

    The tool only lists PIX, not Cisco ACLs.

  5. #5
    Join Date
    2006-04-27
    Location
    Twillight zone
    Posts
    1,009
    Rep Power
    15

    Default Re: Announcing Confwiz

    Quote Originally Posted by PhoneBoy View Post
    You beat me to it :)
    Dont worry, I beat him by 30 min ;)

    http://www.cpug.org/forums/confwiz/1...heckpoint.html

  6. #6
    Join Date
    2007-05-01
    Location
    Minneapolis, MN
    Posts
    59
    Rep Power
    13

    Default Re: Announcing Confwiz

    This will not import PIX 7.x or 8.x configurations. Right now it is limited to PIX 6.3 (seen one of those lately?) and FWSM 2.3. I would look at this as more of an Ofiller/Odumper offering by Check Point.

  7. #7
    Join Date
    2009-05-10
    Posts
    5
    Rep Power
    0

    Default Re: Announcing Confwiz

    Hi all,
    Officially, Confwiz supports PIX 6.3 and FWSM 2.3. These are the platforms that were tested and Confwizís output was verified to be correct.

    Taking into consideration the structure of Cisco configuration files, Confwiz will be able to parse and convert newer versions of Cisco firewalls, such as PIX 7.x, ASA 7.x, FWSM 3.x and so on.

    The following must be taken into account when performing a migration from a newer version:
    1. You must verify that there are no functionality differences between the newer version and the supported version in respect to the Cisco commands that Confwiz parses (listed in the Confwiz Installation and Admin Guide). For example, if there is some type of implied rules mechanism (such as in PIX 6.x) or the commands behave differently in any other means, then they may be converted incorrectly. Note that you can follow the conversion logic in the audit file under the log/ subdirectory.
    2. The Cisco commands syntax that Confwiz recognizes is that of PIX 6.3 and FWSM 2.3, thus you must manually manipulate the commands of the newer version to appear like the older commands when applicable. For example, ASA allows you to add a description to the name command. PIX 6.3 and FWSM 2.3 donít. Thus, configurations which have a name command with a description wonít be parsed by Conwiz. In this case, you can just remove the description from the name command. As for most commands, the syntax is the same and thus no manipulation will need to be performed.

    To sum it up, officially no other versions of Cisco firewalls are currently supported.

    Technically, in cases where there are no major differences between the version of the Cisco firewall that you want to migrate and a Cisco PIX 6.3 of FWSM 2.3, then with minimal configuration tweaks, ConfWiz can perform an initial conversion, saving a lot of time and manual effort. In these cases, please pay more attention to the conversion audit log and convert the remainder of the configuration manually.

    If you perform such migrations with Confwiz, we will be more than happy to hear about your experience and changes that youíve made to the configurations.

  8. #8
    Join Date
    2005-08-30
    Posts
    234
    Rep Power
    14

    Default Re: Announcing Confwiz

    This is a welcomed announcment but a bit disapointed it does not officially support 7.x and 8.x

    There are many differences between 6.3 and 7.x in how commands are applied

    Guide for Cisco PIX 6.2 and 6.3 Users Upgrading to Cisco PIX Software Version 7.0 - Cisco Systems

    I would also be interested to see how other people find this tool.
    tdvit
    CCSA
    CCSE

  9. #9
    Join Date
    2009-05-10
    Posts
    5
    Rep Power
    0

    Default Re: Announcing Confwiz

    I fully understand your feedback. This is the first release and we'll continue to extend the supported platform; nevertheless, we do not support each and every Cisco command, but try to cover the most meaningful and common ground. Even though there are changes between the versions, most of the current commands supported by Confwiz are left intact.

    * We do parse the interface configuration mode (ip address, nameif and security-level) in both 6.x and 7.x format.

  10. #10
    Join Date
    2008-07-26
    Posts
    155
    Rep Power
    12

    Default Re: Announcing Confwiz

    This tool is pointless... most customers would want to migrate from PIX/ASA 7 or 8 ... also there is no support for Junipers Netscreens...

  11. #11
    Join Date
    2006-01-25
    Location
    Americas
    Posts
    1,535
    Rep Power
    15

    Default Re: Announcing Confwiz

    Quote Originally Posted by Felix001 View Post
    This tool is pointless... most customers would want to migrate from PIX/ASA 7 or 8 ... also there is no support for Junipers Netscreens...
    I would disagree. I could see it as a very useful tool, the assumption that it would work for version 7 is relatively valid, as 6.3 is merely a stepping stone to the end game.
    Its all in the documentation.

  12. #12
    Join Date
    2007-04-11
    Location
    Lausanne, Switzerland
    Posts
    140
    Rep Power
    13

    Default Beta Version

    I consider this confwiz as a beta version. Check Point has to work hard and quick to support Cisco latest versions.
    Cisco has a converting tool for years supporting Check Point versions from 4.x to NGX!

  13. #13
    Join Date
    2006-09-26
    Posts
    3,193
    Rep Power
    16

    Default Re: Beta Version

    Quote Originally Posted by Tan Da Boss View Post
    I consider this confwiz as a beta version. Check Point has to work hard and quick to support Cisco latest versions.
    Cisco has a converting tool for years supporting Check Point versions from 4.x to NGX!
    Here is my 2c on this:

    I've used Cisco conversion tool from Checkpoint over to Cisco migration as early as 2005. The conversion tool is essentially useless, and yet this come from someone who works with both CP and Cisco on a daily basis. The conversion is full errors and the time you need to fix those, you wish you would go back and mannually convert the rule.

    I have NOT looked at the checkpoint confwiz tool yet but if I have to guess, I would say that it would fall into the same category as the conversion tool that Cisco produced.

    These tools may be useful if you have simple migrations. For complex migration senarios, these tools are essentially useless.

    just my 2c.

  14. #14
    Join Date
    2009-05-10
    Posts
    5
    Rep Power
    0

    Default Re: Announcing Confwiz

    Check Point and Cisco have major differences in the way of managing network security. Due to those changes, there will probably never be a fully automated tool that converts between the two.

    Having said that, the question remains how to make the migration as less painful as possible. One of Confwiz's huge advantages is first of all in automating objects creation. This conserves a great deal of time and prevents human errors (just think of manually creating 5,000 hosts/networks). Some data, such as VPN communities, is not imported; however security Rules are imported as well as NAT configuration. Of course they needs to be carefully reviewed and probably can be optimized, but almost everything is created for you automatically.

    I suggest giving it a test drive before associating it to the same category as the Cisco conversion tool.

Similar Threads

  1. Replies: 3
    Last Post: 2015-10-26, 13:58
  2. Confwiz supports R70!!!
    By Ofer Israeli in forum Confwiz
    Replies: 30
    Last Post: 2015-10-01, 14:07
  3. Powerful combination of Confwiz and Excel
    By Ofer Israeli in forum Confwiz
    Replies: 8
    Last Post: 2015-09-29, 17:47
  4. Tips for successful Confwiz import
    By Ender519 in forum Confwiz
    Replies: 2
    Last Post: 2012-08-31, 09:17
  5. Announcing project MWAG: scripts to manage checkpoint
    By alienbaby in forum Scripts and Tools
    Replies: 1
    Last Post: 2010-03-15, 13:50

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •