CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


CPUG Challenge 2018?? We will be holding another CPUG Challenge for 2018.
The plan is to time it around CPX again (earlier this year), but not necessarily limit it to those in attendance.
I'll provide more details as we get a bit closer, but be ready! -E

 

Results 1 to 12 of 12

Thread: Confwiz or other tools for Cisco to Check Point migration

  1. #1
    Join Date
    2014-11-19
    Posts
    2
    Rep Power
    0

    Default Confwiz or other tools for Cisco to Check Point migration

    Hello,

    I am looking to update a Cisco firewall (version 9.1) to the latest version of Check Point (77.20 or above). Any tips or useful tools are greatly appreciated.

    I have looked into potentially using confiz but I don't believe it has been tested on any newer versions. Has anyone tried migrating Cisco to a version of Check Point R77 or greater?

    Thank you.

  2. #2
    Join Date
    2006-04-27
    Location
    Twillight zone
    Posts
    999
    Rep Power
    12

    Default Re: Confwiz or other tools for Cisco to Check Point migration

    Make sure you get the latest version av confwiz through the propper channels (your SE).
    Those publicly available are far from latest ones.

  3. #3
    Join Date
    2014-11-14
    Location
    Ottawa Canada
    Posts
    364
    Rep Power
    4

    Default Re: Confwiz or other tools for Cisco to Check Point migration

    While confwiz can sometimes work, it is completely unsupported by Check Point, and it won't make a perfect conversion of the rules; it'll make a decent conversion, at best, and a completely useless conversion at worst. In my experience, the better method would be to simply re-create the rulebase, as this ensures that the rules are created in accordance with Check Point best practices, rather than trying to convert a policy from another vendor with a completely different approach to network security.

  4. #4
    Join Date
    2006-04-27
    Location
    Twillight zone
    Posts
    999
    Rep Power
    12

    Default Re: Confwiz or other tools for Cisco to Check Point migration

    Its far from perfect yes (any tools are). I've tested competitors migrations tools and while some of them are waaay more advanced and fancier than confwiz none of them can do 100% job. Its always something with NAT, VPN tunnels etc.

    Anyway, if the ruleset is huge it will definitely save you some time. If nothing else to create objects etc.
    Also I would like to give thumbs up for Check Point policy optimization service which worked really well for me on gigantic policies!


    But yeah, if you have possibility / time to do it from scratch, by all means do that as you can filter out bunch of crap not used and adapt the policy "the Check point way" right from the beginning.

  5. #5
    Join Date
    2014-11-19
    Posts
    2
    Rep Power
    0

    Default Re: Confwiz or other tools for Cisco to Check Point migration

    It isn't an an overly large rulebase so it sounds like it may just be best if I just rebuild it without the use of confwiz. Thanks for your help!

  6. #6
    Join Date
    2017-09-17
    Posts
    4
    Rep Power
    0

    Default Re: Confwiz or other tools for Cisco to Check Point migration

    Hi guys,

    Please advise me where I can download the above tools beside going to checkpoint website.
    As I really need to convert the Cisco ASA into checkpoint power-1 5070 which is currently on R75.45.
    Please also advise me where I can download the R80 firmware and can I directly upgrade it from R75.45 to R80?

    thank you

    New guy on the block and still green
    Edwin Ng

  7. #7
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,092
    Rep Power
    12

    Default Re: Confwiz or other tools for Cisco to Check Point migration

    Quote Originally Posted by nkcedwin View Post
    Hi guys,

    Please advise me where I can download the above tools beside going to checkpoint website.
    As I really need to convert the Cisco ASA into checkpoint power-1 5070 which is currently on R75.45.
    Please also advise me where I can download the R80 firmware and can I directly upgrade it from R75.45 to R80?

    thank you

    New guy on the block and still green
    Edwin Ng
    First off, R75.45 is no longer supported. R77.30 is the oldest actively supported release.

    Check out the new SmartMove tool for easily converting Cisco configs to Check Point: sk115416: How to migrate a competitor's database to Check Point with SmartMove

    Yes you can upgrade directly from R75.45 to R80.10, although if you are on SecurePlatform instead of Gaia it might be a bit more complicated.

    Download of R80.10 is here at usercenter.checkpoint.com: sk111841: Check Point R80.10

    If you do not have a support contract for access to download the code, talk to your Check Point SE. Please do not request someone here at CPUG to get it for you.
    --
    My Book "Max Power: Check Point Firewall Performance Optimization"
    Second Edition Coming Soon

  8. #8
    Join Date
    2006-09-26
    Posts
    3,055
    Rep Power
    15

    Default Re: Confwiz or other tools for Cisco to Check Point migration

    Quote Originally Posted by ShadowPeak.com View Post
    First off, R75.45 is no longer supported. R77.30 is the oldest actively supported release.

    Check out the new SmartMove tool for easily converting Cisco configs to Check Point: sk115416: How to migrate a competitor's database to Check Point with SmartMove

    Yes you can upgrade directly from R75.45 to R80.10, although if you are on SecurePlatform instead of Gaia it might be a bit more complicated.

    Download of R80.10 is here at usercenter.checkpoint.com: sk111841: Check Point R80.10

    If you do not have a support contract for access to download the code, talk to your Check Point SE. Please do not request someone here at CPUG to get it for you.
    I've played a bit with Cisco to Checkpoint migration using that sk mentiioned above. It will help with primitive stuffs but for complex NAT in CiscoASA, it is pretty worthless :-(

    Btw, Cisco has pushed people away from ASA code and into Firepower code. The SK will not be able to help with this conversion, FYI

  9. #9
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,092
    Rep Power
    12

    Default Re: Confwiz or other tools for Cisco to Check Point migration

    Quote Originally Posted by cciesec2006 View Post
    I've played a bit with Cisco to Checkpoint migration using that sk mentiioned above. It will help with primitive stuffs but for complex NAT in CiscoASA
    Converting the NAT policy going from Cisco to Check Point has always been the hardest part about the conversion process. Hopefully at some point Security Zones will be supported for use in Check Point NAT policies as that would have helped out a lot.
    --
    My Book "Max Power: Check Point Firewall Performance Optimization"
    Second Edition Coming Soon

  10. #10
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,388
    Rep Power
    15

    Default Re: Confwiz or other tools for Cisco to Check Point migration

    Quote Originally Posted by ShadowPeak.com View Post
    First off, R75.45 is no longer supported. R77.30 is the oldest actively supported release.

    Check out the new SmartMove tool for easily converting Cisco configs to Check Point: sk115416: How to migrate a competitor's database to Check Point with SmartMove

    Yes you can upgrade directly from R75.45 to R80.10, although if you are on SecurePlatform instead of Gaia it might be a bit more complicated.

    Download of R80.10 is here at usercenter.checkpoint.com: sk111841: Check Point R80.10

    If you do not have a support contract for access to download the code, talk to your Check Point SE. Please do not request someone here at CPUG to get it for you.
    Earlier releases definitely require a support contract, but R80.10 does not.

    Sent from my SM-G955U1 using Tapatalk
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  11. #11
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,092
    Rep Power
    12

    Default Re: Confwiz or other tools for Cisco to Check Point migration

    Quote Originally Posted by PhoneBoy View Post
    Earlier releases definitely require a support contract, but R80.10 does not.

    Sent from my SM-G955U1 using Tapatalk
    Didn't believe it at first, but I just downloaded the R80.10 iso while being signed out from the Check Point User Center and it worked. Nice tip!
    --
    My Book "Max Power: Check Point Firewall Performance Optimization"
    Second Edition Coming Soon

  12. #12
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,388
    Rep Power
    15

    Default Re: Confwiz or other tools for Cisco to Check Point migration

    Quote Originally Posted by ShadowPeak.com View Post
    Didn't believe it at first, but I just downloaded the R80.10 iso while being signed out from the Check Point User Center and it worked. Nice tip!
    It's a fairly recent development that I may or may not have something to do with :)
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

Similar Threads

  1. Check Point (R76) and Cisco ASA VPN
    By achauhan in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 1
    Last Post: 2014-02-11, 18:17
  2. Check Point (R71) to Cisco (8.3) IPSEC VPN
    By Testing-123 in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 14
    Last Post: 2012-01-12, 12:55
  3. Check Point changes migration tools
    By varera in forum Installing And Upgrading
    Replies: 2
    Last Post: 2011-01-10, 11:20
  4. Cisco NAC & Check Point VPN.
    By Routerkid1 in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 1
    Last Post: 2009-10-09, 14:42
  5. Check Point® Troubleshooting and Debugging Tools for Faster
    By yuval14 in forum CCSE Plus NGX Exam 156-515 (No Longer Offered)
    Replies: 1
    Last Post: 2007-11-05, 00:46

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •