cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2308
Views
0
Helpful
3
Replies

Check Point To ASA 8.4 Rules Conversion Help Required ?

mr_fc
Level 1
Level 1

Hi Experts,

My questing is if I have to Convert Rules (ACL) from Check Point to ASA 8.4 what  are my options keeping in mind below

  • Check Point can hold in a single group multiple different direction interfaces (e.g. inside, outside) where ASA cannot. ASA has to be per interface per port (tcp /udp group).
  • Cisco Security Conversation Tool  does not copy groups that hold multiple direction interfaces

Q 1. Is there any reliable tool available that can use and verify the result?

Q 2. Is there any efficient way to perform this task?

Thanks in advance for consideration

3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Sorry can't really comment on the Checkpoint as I've only used Cisco firewall products so far.

But if I understood you correctly you are currently using rules in the Checkpoint that are used for many firewall interfaces and many directions. If this is correct, there is an option in the new ASA software (Think it came in 8.3 already) that lets you configure a single access-list to be used for every single interface on the ASA, and for both directions.

The command format to apply a configured ACL to be used as Global Access-list you would have to use the following command

"access-group global"

The normal format for per interface/direction would be

"access-group in/out interface "

As I said before, I can't really say anything about Checkpoint so I don't know what its ACL format is like.

I'm also not familiar about any conversion tools but that mostly due to never having any need for such. I'm sure someone else might give you better information about it.

I guess if you can give some example rules you need converted, it would give me or someone else some idea how different the formats are.

- Jouni

Hi Jouni,

Thanks for your reply. I think you did not understand my question.

Question is very simple

What is the best tool to convert Check Point to ASA Firewall Rules (if rules are more then 1000)

Most Important what is the method to verifiy all of them on ASA after conversion if they have Migrated 100% ?

Would be great if any expert can comment on that

Regards

Anand Kanani
Cisco Employee
Cisco Employee

Here is the new self-service tool that Cisco has released to convert to any vendor firewalls to Cisco ASA.

Currently it supports Juniper ScreenOS and CheckPoint to Cisco ASA conversion.

Link to the original post:

https://supportforums.cisco.com/community/netpro/security/firewall/blog/2013/12/19/conversion-tool--checkpoint-fw-to-cisco-asa

Link to the tool itself:

https://fwmig.cisco.com

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: