Migrating ChechPoint to SSG-520



  • I am working with a customer who is looking at collapsing 5 Checkpoint firewalls into a pair of 520s.  I heard there is a tool/utility to migrate the checkpoint rulesbase to an NS policy?  Any one heard of this tool?  Any one use it?

    Thanks



  • @Junigal:

    I am working with a customer who is looking at collapsing 5 Checkpoint firewalls into a pair of 520s…  Any one heard of this tool?  Any one use it?

    Thanks

    Greetings, I recommend you start from scratch. I migrated from ChuckPoint a couple years ago to two NS-204’s. Since I am familiar with many firewall products, it did not take long to grasp the differences between CheckPoint and NS terminology. Once I had that down, I setup a 204 in parallel, tested the new policies for a few weeks, set test users on the new default gateway and eventually migrated eveyone in ~45 days total.

    Feel free to ask specific questions if you have any regarding migration.


  • administrators

    There is a tool, however, the official word on it is that you have to be certified to use it.  It does not do everything, and for small rulebases, it is more trouble than it is worth.  It does about 80% of the work for you, but you still need to go through the policy and do a bunch of stuff manually.

    If you have less than 100 rules in the checkpoints, I would just do it all manually.  It will give you a good chance to clean up old and unused rules.



  • Juniper’s Professional services have a tool I was once told.
    There’s a Perl script out there that also does a half-baked job.
    I think it’s easier to just write the rules - it’s a good time to clean up, check the security.
    The “zone” concept is just too hard to translate from Checkpoint’s method.


 

47
Online

38.5k
Users

12.7k
Topics

44.5k
Posts