Checkpoint to Pix conversion tools [7:72088]
Hi, Any one ever came across tools to do this, apart from the ones on offer by SolSoft. Any open source out there yet ? What's every one up to? I am here in Sydney looking at Disaster Recovery situations, and moving to a PIX environment. Not much new happening, got less Cisco based work to do, and more Sys Admin work, mostly Solaris which is quite interesting all the same. One thing that I wish to implement, is traffic shaping. Has any one got an idea if Selective Packet Discard, is turned on by default on various IOS versions 12.2(2). I have had 2 instances this month of a site going down due to a flood of traffic going through its tiny 256k link into the main site. Would also, love to traffic shape those annoying people that I work with down to a crawl on the network (local lan). Has any one done this before. Thanks for your time. What are you people doing, anything new and exciting ? John Sydney Australia ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.solution6.com ** Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=72088&t=72088 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: migration from CheckPoint to PIX firewall [7:58968]
Hi, Could you tell me why you are planning migrating from CheckPoint to PIX. We use PIX and it is very good, but I donĀ“t know CheckPoint and was wondering if it is a good solution. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=59091&t=58968 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: migration from CheckPoint to PIX firewall [7:58989]
Sounds to me like you won't save much if any money in the long run. With all the other bits and pieces you need for the complete solution, you are probably better off keeping Checkpoint, and paying the high price. Checkpoint is pricy, maybe a little too pricy, but it is pretty good from a functionality and ease of use perspective. Some people don't like it because of it's (relatively) poor vulnerability record. I am far from a PIX expert, but IMHO the PIX is quite a bare bones Firewall, and it un-necessarily makes something's a pain in the a$$ to configure. Symon -Original Message- From: eric nguyen [mailto:[EMAIL PROTECTED]] Sent: 11 December 2002 20:35 To: [EMAIL PROTECTED] Subject: RE: migration from CheckPoint to PIX firewall [7:58989] Thanks everyone for your advices and input. Checkpoint license, maintenance and support are very expensive. We also host web services in-house and based on my research and if I understand it correctly, Pix performance is excellent. On a similarly related topic, I am studying for my Cisco CSS-1 cert. I have a "franken" pix firewall running on a 350Mhz PII CPU with 512MB of RAM on a 16MB ISA flash. I know that Cisco Pix 525 is a PIII 700Mhz processor and it supports Gigabit interface. I would like to stress test the franken pix that I have in the lab to see how much web, smtp, ftp and streaming video it can handle. The OS it is using is 6.2(2) with PDM 2.1(1). My company is looking at purchasing at the Pix525. However, my boss asks for my opinion for this before purchasing the hardware. I know that the motherboard on the "franken" pix supports CPUs between 233Mhz and up to 850Mhz. Before rushing to the web and purchasing a P3 700Mhz CPU, I would like to know if anyone has successfully running the franken pix on a 700Mhz or higher CPU. I actually tried it with a 550Mhz slot 1 CPU and the franken pix did actually work for about 30 minutes before locking up due to no CPU fan. Will it work with a 700Mhz CPU? Thanks. Eric Justin Menga wrote:Hi, A) No B) No Work arounds are to do this on a separate Cisco router - e.g. Border router perhaps. Cisco routers have good QoS, and also have a rotary NAT feature that load balances incoming packets sent to a global IP to multiple private Ips. This feature however is very simple and is nowhere near the capabilities of HTTP load balancing on Check Point (NG at least). There is also a server load balancing feature in some Cisco routers, not familiar with this though. I'd say keep the Check Point - why are you pushing it out? Maintenance expired? Regards, Justin -Original Message- From: eric nguyen [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 3:38 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: OT: migration from CheckPoint to PIX firewall My company is looking to migrate from CheckPoint over to Pix Firewall in the next couple of months and I have been assigned to this project. I have questions about Pix firewalls. We are a small company, less than 50 people. a) Does pix firewall support QOS, traffic shaping or traffic prioritization? The checkpoint firewall we are using has a feature called "flood-gate" that can prioritize both inbound and outbound traffic. We would like to have this feature in Pix firewall as well. b) Does pix support http load balancing? Checkpoint has a feature that supports http load-balancing for inbound traffic. We need this feature to load balance our web servers. I would like to have this feature in pix as well. We don't have the budget for dedicated load-balancer such as Cisco CSS. Open freeware is out of the question, will not fly pass management. Can pix do those things above without additional hardware? Regards, Eric - Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now - Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now = This email has been content filtered and subject to spam filtering. If you consider this email is unsolicited please forward the email to [EMAIL PROTECTED] and request that the sender's domain be blocked from sending any further emails. = Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=59085&t=58989 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: OT: migration from CheckPoint to PIX firewall [7:58957]
A) No B) No It appears that someone in mgmt. has made a layer 8 (political) decision to migrate your firewall since the PIX does not support features you are currently using and yet the decision has already been made. At this point, I would recommend that you put together a brief presentation (no more than 4 slides) listing the features that you will lose, why they are important and how much it will cost to implement those features on extra hardware. Make sure your mgmt. signs off _in writing_ that they are aware of the functionality that you are losing if they insist on migrating and refuse to buy additional hardware. Save the written sign off for later CYA use. Regards, Kent At 02:39 AM 12/11/2002 +, eric nguyen wrote: >My company is looking to migrate from CheckPoint over to Pix Firewall in the >next > >couple of months and I have been assigned to this project. I have questions >about > >Pix firewalls. We are a small company, less than 50 people. > >a) Does pix firewall support QOS, traffic shaping or traffic >prioritization? The > >checkpoint firewall we are using has a feature called "flood-gate" that can > >prioritize both inbound and outbound traffic. We would like to have this >feature > >in Pix firewall as well. > >b) Does pix support http load balancing? Checkpoint has a feature that > >supports http load-balancing for inbound traffic. We need this feature to >load > >balance our web servers. I would like to have this feature in pix as well. >We > >don't have the budget for dedicated load-balancer such as Cisco CSS. Open > >freeware is out of the question, will not fly pass management. > >Can pix do those things above without additional hardware? > >Regards, > >Eric > > > >- >Do you Yahoo!? >Yahoo! Mail Plus - Powerful. Affordable. Sign up now Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=58999&t=58957 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: migration from CheckPoint to PIX firewall [7:58968]
important to keep in mind here, pix is a firewall, not a router. You want a router, that'll be a separate thing. Bri On Wed, 11 Dec 2002, Larry Roberts wrote: > Eric, > > The PIX by itself cannot do any of the features you are asking about below. > You can throw in a Cisco router though to get those features. For the load > balancing, you will need Server Load Balancing (SLB), which is supported on > the 3631, 3725, 7100 and 7200 series routers. > > HTH, > Larry Roberts > CCIE #7886 (R&S / Security) > > - Original Message - > From: "eric nguyen" > To: > Cc: > Sent: Tuesday, December 10, 2002 7:38 PM > Subject: OT: migration from CheckPoint to PIX firewall > > > > My company is looking to migrate from CheckPoint over to Pix Firewall in > the next > > > > couple of months and I have been assigned to this project. I have > questions about > > > > Pix firewalls. We are a small company, less than 50 people. > > > > a) Does pix firewall support QOS, traffic shaping or traffic > prioritization? The > > > > checkpoint firewall we are using has a feature called "flood-gate" that > can > > > > prioritize both inbound and outbound traffic. We would like to have this > feature > > > > in Pix firewall as well. > > > > b) Does pix support http load balancing? Checkpoint has a feature that > > > > supports http load-balancing for inbound traffic. We need this feature to > load > > > > balance our web servers. I would like to have this feature in pix as > well. We > > > > don't have the budget for dedicated load-balancer such as Cisco CSS. Open > > > > freeware is out of the question, will not fly pass management. > > > > Can pix do those things above without additional hardware? > > > > Regards, > > > > Eric > > > > > > > > - > > Do you Yahoo!? > > Yahoo! Mail Plus - Powerful. Affordable. Sign up now Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=59008&t=58968 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: migration from CheckPoint to PIX firewall [7:58968]
Eric, The PIX by itself cannot do any of the features you are asking about below. You can throw in a Cisco router though to get those features. For the load balancing, you will need Server Load Balancing (SLB), which is supported on the 3631, 3725, 7100 and 7200 series routers. HTH, Larry Roberts CCIE #7886 (R&S / Security) - Original Message - From: "eric nguyen" To: Cc: Sent: Tuesday, December 10, 2002 7:38 PM Subject: OT: migration from CheckPoint to PIX firewall > My company is looking to migrate from CheckPoint over to Pix Firewall in the next > > couple of months and I have been assigned to this project. I have questions about > > Pix firewalls. We are a small company, less than 50 people. > > a) Does pix firewall support QOS, traffic shaping or traffic prioritization? The > > checkpoint firewall we are using has a feature called "flood-gate" that can > > prioritize both inbound and outbound traffic. We would like to have this feature > > in Pix firewall as well. > > b) Does pix support http load balancing? Checkpoint has a feature that > > supports http load-balancing for inbound traffic. We need this feature to load > > balance our web servers. I would like to have this feature in pix as well. We > > don't have the budget for dedicated load-balancer such as Cisco CSS. Open > > freeware is out of the question, will not fly pass management. > > Can pix do those things above without additional hardware? > > Regards, > > Eric > > > > - > Do you Yahoo!? > Yahoo! Mail Plus - Powerful. Affordable. Sign up now Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=58968&t=58968 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: migration from CheckPoint to PIX firewall [7:59004]
Hi, A) No B) No Work arounds are to do this on a separate Cisco router - e.g. Border router perhaps. Cisco routers have good QoS, and also have a rotary NAT feature that load balances incoming packets sent to a global IP to multiple private Ips. This feature however is very simple and is nowhere near the capabilities of HTTP load balancing on Check Point (NG at least). There is also a server load balancing feature in some Cisco routers, not familiar with this though. I'd say keep the Check Point - why are you pushing it out? Maintenance expired? Regards, Justin -Original Message- From: eric nguyen [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 3:38 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: OT: migration from CheckPoint to PIX firewall My company is looking to migrate from CheckPoint over to Pix Firewall in the next couple of months and I have been assigned to this project. I have questions about Pix firewalls. We are a small company, less than 50 people. a) Does pix firewall support QOS, traffic shaping or traffic prioritization? The checkpoint firewall we are using has a feature called "flood-gate" that can prioritize both inbound and outbound traffic. We would like to have this feature in Pix firewall as well. b) Does pix support http load balancing? Checkpoint has a feature that supports http load-balancing for inbound traffic. We need this feature to load balance our web servers. I would like to have this feature in pix as well. We don't have the budget for dedicated load-balancer such as Cisco CSS. Open freeware is out of the question, will not fly pass management. Can pix do those things above without additional hardware? Regards, Eric - Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=59004&t=59004 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: migration from CheckPoint to PIX firewall [7:58989]
Thanks everyone for your advices and input. Checkpoint license, maintenance and support are very expensive. We also host web services in-house and based on my research and if I understand it correctly, Pix performance is excellent. On a similarly related topic, I am studying for my Cisco CSS-1 cert. I have a "franken" pix firewall running on a 350Mhz PII CPU with 512MB of RAM on a 16MB ISA flash. I know that Cisco Pix 525 is a PIII 700Mhz processor and it supports Gigabit interface. I would like to stress test the franken pix that I have in the lab to see how much web, smtp, ftp and streaming video it can handle. The OS it is using is 6.2(2) with PDM 2.1(1). My company is looking at purchasing at the Pix525. However, my boss asks for my opinion for this before purchasing the hardware. I know that the motherboard on the "franken" pix supports CPUs between 233Mhz and up to 850Mhz. Before rushing to the web and purchasing a P3 700Mhz CPU, I would like to know if anyone has successfully running the franken pix on a 700Mhz or higher CPU. I actually tried it with a 550Mhz slot 1 CPU and the franken pix did actually work for about 30 minutes before locking up due to no CPU fan. Will it work with a 700Mhz CPU? Thanks. Eric Justin Menga wrote:Hi, A) No B) No Work arounds are to do this on a separate Cisco router - e.g. Border router perhaps. Cisco routers have good QoS, and also have a rotary NAT feature that load balances incoming packets sent to a global IP to multiple private Ips. This feature however is very simple and is nowhere near the capabilities of HTTP load balancing on Check Point (NG at least). There is also a server load balancing feature in some Cisco routers, not familiar with this though. I'd say keep the Check Point - why are you pushing it out? Maintenance expired? Regards, Justin -Original Message- From: eric nguyen [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 3:38 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: OT: migration from CheckPoint to PIX firewall My company is looking to migrate from CheckPoint over to Pix Firewall in the next couple of months and I have been assigned to this project. I have questions about Pix firewalls. We are a small company, less than 50 people. a) Does pix firewall support QOS, traffic shaping or traffic prioritization? The checkpoint firewall we are using has a feature called "flood-gate" that can prioritize both inbound and outbound traffic. We would like to have this feature in Pix firewall as well. b) Does pix support http load balancing? Checkpoint has a feature that supports http load-balancing for inbound traffic. We need this feature to load balance our web servers. I would like to have this feature in pix as well. We don't have the budget for dedicated load-balancer such as Cisco CSS. Open freeware is out of the question, will not fly pass management. Can pix do those things above without additional hardware? Regards, Eric - Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now - Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=58989&t=58989 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: migration from CheckPoint to PIX firewall [7:58957]
PIX doesn't support these 2 features. Actually I believe that altough Cisco PIX firewalls' performance's are better than checkpoint, they have some disadvantages. Besides the features you have mentioned also Pix lacks some NAT properties, logging performance etc. -Original Message- From: eric nguyen [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 4:39 AM To: [EMAIL PROTECTED] Subject: OT: migration from CheckPoint to PIX firewall [7:58957] My company is looking to migrate from CheckPoint over to Pix Firewall in the next couple of months and I have been assigned to this project. I have questions about Pix firewalls. We are a small company, less than 50 people. a) Does pix firewall support QOS, traffic shaping or traffic prioritization? The checkpoint firewall we are using has a feature called "flood-gate" that can prioritize both inbound and outbound traffic. We would like to have this feature in Pix firewall as well. b) Does pix support http load balancing? Checkpoint has a feature that supports http load-balancing for inbound traffic. We need this feature to load balance our web servers. I would like to have this feature in pix as well. We don't have the budget for dedicated load-balancer such as Cisco CSS. Open freeware is out of the question, will not fly pass management. Can pix do those things above without additional hardware? Regards, Eric - Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=58981&t=58957 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
OT: migration from CheckPoint to PIX firewall [7:58957]
My company is looking to migrate from CheckPoint over to Pix Firewall in the next couple of months and I have been assigned to this project. I have questions about Pix firewalls. We are a small company, less than 50 people. a) Does pix firewall support QOS, traffic shaping or traffic prioritization? The checkpoint firewall we are using has a feature called "flood-gate" that can prioritize both inbound and outbound traffic. We would like to have this feature in Pix firewall as well. b) Does pix support http load balancing? Checkpoint has a feature that supports http load-balancing for inbound traffic. We need this feature to load balance our web servers. I would like to have this feature in pix as well. We don't have the budget for dedicated load-balancer such as Cisco CSS. Open freeware is out of the question, will not fly pass management. Can pix do those things above without additional hardware? Regards, Eric - Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=58957&t=58957 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
checkpoint to Pix
Anyone had any luck setting up a VPN tunnel between these two? _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
