Skip Links

Network World

Jamey Heary

Cisco Security Conversion Tool (SCT) -- Easing the pain of a Check Point to Cisco firewall migration

By jheary on Fri, 02/22/08 - 2:08pm.
Newsletter Signup

Migrating from one firewall vendor to another can be a huge undertaking requiring hours of tedious access and NAT rule rewriting. Wouldn’t it be nice if someone came up with a FREE tool that converted one vendor’s firewall configuration files into another vendor’s format? Think of the tens or hundreds of man hours that it could save you. Well you’re in luck. That is exactly what Cisco has created with its free SCT tool. The bummer is it only works for converting Check Point firewall configs to Cisco ASA, PIX or FWSM configs. It currently works with Check Point 4.x, NG, UTM, and NGX. It won’t work with any other vendors yet. But if you’re doing a Check Point to Cisco firewall conversion, the SCT tool is a godsend.

Cisco SCT is available to anyone with a Cisco.com login. Be aware that the user of the tool should be trained properly and understand its limitations. Cisco recommends that you review/scrub the output to verify its accuracy. To that end, they have made a training slide deck and full documentation available to you. Another nice thing is that support is available by emailing to .

I find the SCT tool extremely easy to use, very accurate, and a huge time saver. The tool runs on a Windows PC. So how does it work exactly? Well, let’s see…

First you import the appropriate Check Point Firewall files into the tool. You’ll need the following files:

  • objects.C (4.x) or objects_5_0.C (NG)
  • rule.W file, it contains the FW policy info
  • rulebases_5_0.fws This is optional but includes the rule comments.
  • route and interface information from Check Point



Here is a screen shot of the first page of the wizard:




The next step is to tell SCT how to format your Cisco firewall output files. You pick the platform (ASA, PIX, or FWSM) and other options as shown below:



The final step is to configure the Cisco firewall interfaces as shown below:



That’s it! The tool will convert all of the following from Check Point format to Cisco format:

  • Access rules and security policies
  • Network objects and groups
  • Service objects and groups
  • NAT rules
  • Static routes
  • Interface-related configuration


The output from the SCT tool is fairly robust. It is formatted in HTML and heavily hyperlinked. It includes a conversion report indicating any conversion errors or notes. The output is formatted in such a way as to make it easier to understand exactly what Check Point rule created which Cisco rule. Here is a screenshot of a conversion report:



The original Check Point config is shown and is fully hyperlink enabled. Check out this example:



The final ASA config file is shown below with full comments and even shows which Check Point rule maps to each ASA rule.



All in all, the SCT tool is a huge time saver. Just its ability to transfer all of the network and service groups from Check Point to ASA is worth its weight in gold. True, the output should be looked over very carefully to make sure it is correct before putting it into production, but this pales in comparison with the time it takes to do a conversion from scratch. You can download the training and SCT tool here.
http://www.cisco.com/cgi-bin/tablebuild.pl/sct

The opinions and information presented here are my personal views and not those of my employer.

Nice!

0
By Anonymous (not verified) on Fri, 02/29/2008 - 3:23pm.

I just purchased ASA's to replace my checkpoints. Sounds like this tool will help emensely with the conversion. Thanks for pointing it out.

-Mike

conversion to ASA firewalls

0
By Michael S (not verified) on Thu, 03/20/2008 - 10:18pm.

About a year ago I the challenging project of converting a large organization from Secure Computing's SideWinder G2 firewalls to Cisco ASA5540's. A conversion tool, or methodology for converting would have been an enormous help! Unfortunately, the products are so distinct in how security policies are built and implemented that there really isn't any other method than a manual conversion. A single project like this tends to take on a life of it's own, spawning many smaller projects. In the end, it was a good experience overall and I learned a lot. I'm not even sure how many hours were spent deciphering statements in one firewall and determining how best to transfer these to the new ASA's. The end result, I am pleased to say, is a very stable and secure Cisco environment with much better failover capabilities.

If I had to convert from Checkpoint to Cisco, I would definitely use this conversion tool.

Conversion

0
By jheary on Fri, 03/21/2008 - 12:29am.

Michael,
Glad to hear your conversion went well and your liking the ASA platform. I wish that Cisco had a conversion tool for a few other vendors to help with the conversion process. It would save everyone a ton of time.

checkpoint to asa conversion

0
By Anon (not verified) on Thu, 12/04/2008 - 3:09pm.

Mike,
I am in the same boat with the conversion, but I am unable to get the files off the checkpoint to run them thru the converter. How did you get them to export off the checkpoint.

Re: Cisco Security Conversion Tool (SCT)

0
By Firewall Dummy (not verified) on Tue, 05/27/2008 - 4:21pm.

We have been able to locate all associated files except rule.w. Is it possible that our implementation does not have this file? The file is not under the usual :etc/fw/conf/ directory. Any help?

Thanks,
Undertrained

Has anyone did the conversion yet?

0
By Jerrod (not verified) on Mon, 01/26/2009 - 3:58pm.

Has anyone did the conversion yet? And if so did it work well?
Please Let me know.

Thanks

Has anyone did the conversion yet?

0
By Jerrod (not verified) on Mon, 01/26/2009 - 4:02pm.

I have all the files, but they dont seem to convert over correctly. Any assistance would be greatly appreciated. Please email me at

I found the files

0
By Jerrod (not verified) on Mon, 01/26/2009 - 5:13pm.

I was getting the wrong files. The files are directly stored on the server and not the firewall. The conversion worked great.

Jerrod

0
By Anon (not verified) on Tue, 01/27/2009 - 5:18pm.

Jerrod,
Where did you find the files and how did you get them exported off?

Thanks,

NGX

0
By Skeptic (not verified) on Wed, 02/04/2009 - 9:11am.

Has anyone successfully converted an HA clustered pair of NGX R65 gateways? I have aprx 15K rules and can't for the life of me believe that a tool that was last written three years ago would even be able to be 10% correct in the conversion. This article was written a year ago and does not address current Checkpoint builds. Am I missing something?

Let me know...

12next ›last »

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
Welcome, visitor. Register Log in
Advertisement:
About Cisco Security Expert

Jamey Heary, CCIE No. 7680, is the author of the Cisco NAC Appliance: Enforcing Host Security with Clean Access book by Cisco Press. Jamey is a seasoned security technologist with over 15 years in the IT field with 10 years focused on IT security. His areas of expertise include network and host security design and implementation, security regulatory compliance, and routing and switching. His other certifications include CISSP, CCSP, and Microsoft MCSE. He is also a Certified HIPAA Security Professional. Jamey is currently a Security Consulting Systems Engineer with Cisco, though the opinions expressed here are his own. Jamey is a member of Network World's Cisco Subnet blog community.

Contact him.