Cisco Security Conversion Tool (SCT) -- Easing the pain of a Check Point to Cisco firewall migration

Migrating from one firewall vendor to another can be a huge undertaking requiring hours of tedious access and NAT rule rewriting. Wouldn’t it be nice if someone came up with a FREE tool that converted one vendor’s firewall configuration files into another vendor’s format? Think of the tens or hundreds of man hours that it could save you. Well you’re in luck. That is exactly what Cisco has created with its free SCT tool. The bummer is it only works for converting Check Point firewall configs to Cisco ASA, PIX or FWSM configs. It currently works with Check Point 4.x, NG, UTM, and NGX. It won’t work with any other vendors yet. But if you’re doing a Check Point to Cisco firewall conversion, the SCT tool is a godsend. Cisco SCT is available to anyone with a Cisco.com login. Be aware that the user of the tool should be trained properly and understand its limitations. Cisco recommends that you review/scrub the output to verify its accuracy. To that end, they have made a training slide deck and full documentation available to you. Another nice thing is that support is available by emailing to sct-support@cisco.com. I find the SCT tool extremely easy to use, very accurate, and a huge time saver. The tool runs on a Windows PC. So how does it work exactly? Well, let’s see… First you import the appropriate Check Point Firewall files into the tool. You’ll need the following files:

  • objects.C (4.x) or objects_5_0.C (NG)
  • rule.W file, it contains the FW policy info
  • rulebases_5_0.fws This is optional but includes the rule comments.
  • route and interface information from Check Point

Here is a screen shot of the first page of the wizard:

[img=450x350]http://home.comcast.net/~heary/sct1.gif[/img]

The next step is to tell SCT how to format your Cisco firewall output files. You pick the platform (ASA, PIX, or FWSM) and other options as shown below:

[img=450x350]http://home.comcast.net/~heary/sct2.gif[/img]

The final step is to configure the Cisco firewall interfaces as shown below:

[img=450x350]http://home.comcast.net/~heary/sct3.gif[/img]

That’s it! The tool will convert all of the following from Check Point format to Cisco format:

  • Access rules and security policies
  • Network objects and groups
  • Service objects and groups
  • NAT rules
  • Static routes
  • Interface-related configuration

The output from the SCT tool is fairly robust. It is formatted in HTML and heavily hyperlinked. It includes a conversion report indicating any conversion errors or notes. The output is formatted in such a way as to make it easier to understand exactly what Check Point rule created which Cisco rule. Here is a screenshot of a conversion report:

[img=450x350]http://home.comcast.net/~heary/sct4.gif[/img]

The original Check Point config is shown and is fully hyperlink enabled. Check out this example:

[img=450x350]http://home.comcast.net/~heary/sct5.gif[/img]

The final ASA config file is shown below with full comments and even shows which Check Point rule maps to each ASA rule.

[img=450x350]http://home.comcast.net/~heary/sct6.gif[/img]

All in all, the SCT tool is a huge time saver. Just its ability to transfer all of the network and service groups from Check Point to ASA is worth its weight in gold. True, the output should be looked over very carefully to make sure it is correct before putting it into production, but this pales in comparison with the time it takes to do a conversion from scratch. You can download the training and SCT tool here. http://www.cisco.com/cgi-bin/tablebuild.pl/sct The opinions and information presented here are my personal views and not those of my employer.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2008 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)