CheckPoint to Netscreen migration

  • Can anyone help me to migrate from CheckPoint to Netscreen?

    I will be working on a project soon and need to get started.



  • You want to make sure if you have remote sites that you either migrate them to netscreens or make sure you can setup tunnels with what you have there.

    You will have to manually create all the rules.

    Make sure you go with a stable screenOS, we shot ourselves in the foot with 5.3r2 way too many bugs.

    You will be happy with performance especially with VPN. We basically improved 15 milliseconds on our ping times with the new firewalls (208’s)

  • @Hungrytech:

    Can anyone help me to migrate from CheckPoint to Netscreen?

    I will be working on a project soon and need to get started.



    I replaced a Checkpoint NG with NS 204 months ago and have been quite pleased.

    To get started here are a couple of thoughts:

    Define objects

    Figure out where you are going to send syslog data, SNMP traps, etc. and set it up.

    Translate Checkpoint rules into NS policies - in general, you need to think about policies a bit differently, clearly define them for each of your zones and then translate each from Checkpoint to ScreenOS speak. I found the book Configuring Netscreen Firewalls to be somewhat helpful on certain topics where Juniper’s documentation did not quite have what I was looking for (the book is a little dated now with some of the new features in ScreenOS 5.2 so you may want to search Juniper’s Netscreen knowledgebase a bit too). For the highest bandwidth consuming protocols, I setup individual policies for them in order to have the ability to use the “counting” feature later on for defining more advanced features (like traffic shaping for ftp, h323, etc).

    Test - for initial rule testing, I deployed it in parallel with our existing firewall using different IP addresses in the same ranges (for trust, DMZ1, DMZ2 and untrust) and pointed a few test systems at the NS204 as their default gateway.

    Test deploy at least a couple of times (we did it multiple times on weekends).

    Setup any performance monitoring / reporting in advance of production deployment. I setup FireGen to create daily summary reports and MRTG to create historical graphs of the throughput on all of the firewall interfaces and the processor utiliztion.

    Deploy it.

    I also have a 5GT-201-AV at home that I still use to test new ideas that I would not want to drop on the production box straight away.

  • Our team just did a migration from Checkpoint NG to an ISG1000. Hundreds of rules and objects. A few thousand users. Major enterprise.

    The short story is this was a great success, only one rule goof. There’s no magic bullet, you need to methodically create the rules & objects. You also need to get the mindset of ScreenOS zones which is really well documented in the Concepts Guide.

    We’re really happy with the results. This was the first of many happy moments getting Checkpoint out the door 😉