Migrating from one firewall vendor to another can be a huge undertaking requiring hours of tedious access and NAT rule rewriting. Wouldn’t it be nice if someone came up with a FREE tool that converted one vendor’s firewall configuration files into another vendor’s format? Think of the tens or hundreds of man hours that it could save you. Well you’re in luck. That is exactly what Cisco has created with its free SCT tool. The bummer is it only works for converting Check Point firewall configs to Cisco ASA, PIX or FWSM configs. It currently works with Check Point 4.x, NG, UTM, and NGX. It won’t work with any other vendors yet. But if you’re doing a Check Point to Cisco firewall conversion, the SCT tool is a godsend.
Cisco SCT is available to anyone with a Cisco.com login. Be aware that the user of the tool should be trained properly and understand its limitations. Cisco recommends that you review/scrub the output to verify its accuracy. To that end, they have made a training slide deck and full documentation available to you. Another nice thing is that support is available by emailing to .
I find the SCT tool extremely easy to use, very accurate, and a huge time saver. The tool runs on a Windows PC. So how does it work exactly? Well, let’s see…
First you import the appropriate Check Point Firewall files into the tool. You’ll need the following files:
Here is a screen shot of the first page of the wizard:
The next step is to tell SCT how to format your Cisco firewall output files. You pick the platform (ASA, PIX, or FWSM) and other options as shown below:
The final step is to configure the Cisco firewall interfaces as shown below:
That’s it! The tool will convert all of the following from Check Point format to Cisco format:
The output from the SCT tool is fairly robust. It is formatted in HTML and heavily hyperlinked. It includes a conversion report indicating any conversion errors or notes. The output is formatted in such a way as to make it easier to understand exactly what Check Point rule created which Cisco rule. Here is a screenshot of a conversion report:
The original Check Point config is shown and is fully hyperlink enabled. Check out this example:
The final ASA config file is shown below with full comments and even shows which Check Point rule maps to each ASA rule.
All in all, the SCT tool is a huge time saver. Just its ability to transfer all of the network and service groups from Check Point to ASA is worth its weight in gold. True, the output should be looked over very carefully to make sure it is correct before putting it into production, but this pales in comparison with the time it takes to do a conversion from scratch. You can download the training and SCT tool here.
http://www.cisco.com/cgi-bin/tablebuild.pl/sct
The opinions and information presented here are my personal views and not those of my employer.
Jamey Heary, CCIE No. 7680, is a security consulting systems engineer at Cisco. He leads its Western Security Asset team and is a field advisor for Cisco's global security virtual team. Jamey is the author of the recently published Cisco NAC Appliance: Enforcing Host Security with Clean Access. His areas of expertise include network and host security design and implementation, security regulatory compliance, and routing and switching. His other certifications include CISSP, CCSP, and Microsoft MCSE. He is also a Certified HIPAA Security Professional. Jamey has been working in the IT field for 14 years and in IT security for 9 years.
|
|
Nice!
I just purchased ASA's to replace my checkpoints. Sounds like this tool will help emensely with the conversion. Thanks for pointing it out.
-Mike
conversion to ASA firewalls
About a year ago I the challenging project of converting a large organization from Secure Computing's SideWinder G2 firewalls to Cisco ASA5540's. A conversion tool, or methodology for converting would have been an enormous help! Unfortunately, the products are so distinct in how security policies are built and implemented that there really isn't any other method than a manual conversion. A single project like this tends to take on a life of it's own, spawning many smaller projects. In the end, it was a good experience overall and I learned a lot. I'm not even sure how many hours were spent deciphering statements in one firewall and determining how best to transfer these to the new ASA's. The end result, I am pleased to say, is a very stable and secure Cisco environment with much better failover capabilities.
If I had to convert from Checkpoint to Cisco, I would definitely use this conversion tool.
Conversion
Michael,
Glad to hear your conversion went well and your liking the ASA platform. I wish that Cisco had a conversion tool for a few other vendors to help with the conversion process. It would save everyone a ton of time.
Re: Cisco Security Conversion Tool (SCT)
We have been able to locate all associated files except rule.w. Is it possible that our implementation does not have this file? The file is not under the usual :etc/fw/conf/ directory. Any help?
Thanks,
Undertrained