I have done this type of conversion, but there is no nice automatic way to do it. There are conceptually a few differences, especially in how vpns are handled.
Although you can set checkpoint up as a zone-type firewall, IMHO it would be better to revisit the configuration and provide a functionality match to the firewalls rather than just duplicating the rules. By this I mean converting to checkpoint service names rather than ports, taking advantage of rule and object grouping, etc. Ted Serreyn -- Ted Serreyn Phone:262-432-0260 Fax:262-432-0232 Serreyn Network Services, LLC http://www.serreyn.com/ -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]] On Behalf Of pkc_mls Sent: Monday, March 01, 2010 3:40 AM To: [email protected] Subject: Re: [FW-1] Netscreen firewall policy to Checkpoint Fw-1 > Hi > > Has anyone converted a Netscreen firewall policy to Checkpoint R65/R70, can this be done? > i have taken a look at fw1 rules and confwiz but they do not do this, object dumper not so sure does this, has anyone managed to covert a NS policy to Checkpoint and if so what tool was used? > > Many Thanks Hi, As far as I know, there is no automatic conversion tool. you can use some tools like odumper to get at least the objects, then add those to the screenos with regular set commands. Then it depends how complex is your ruleset on the netscreen device (forget about nat per policy or vpn per policy on checkpoint). It's perhaps a good point to check what is still in use in your rulebase, and reorder a little bit. Don't create sections with the zones from the netscreen, it won't make sense. Last question : why do you plan to migrate to a checkpoint from a netscreen ? Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= Email secured by Check Point Email secured by Check Point Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
