Author Topic: Migrate Checkpoint To Juniper ISG 1000  (Read 2119 times)

leocf

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Migrate Checkpoint To Juniper ISG 1000
« on: August 21, 2009, 10:04:46 am »
Hello Everbody .

Someone , was migrate checkpoint to Juniper ISG 1000 ?
The migrate is Fully Manual ?

Thank You.


CookieOrc

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: Migrate Checkpoint To Juniper ISG 1000
« Reply #1 on: August 27, 2009, 02:47:03 pm »
Are you asking if migrating from a Checkpoint Firewall to a Juniper is a manual process..?

I have not used checkpoint before, but I think it is safe to assume that since these are two completely seperate platforms and although I am sure that you are able to do some of the translation in bulk, I doubt that there is a trust worthy system to automatically migrate a checkpoint FW to an ISG 1000.

On a side note the ISG1000 is a BIG boy. I am going to assume that this is going into the core of your network. I think you have to redesign your entire infrastructure. Since I am sure the paradigm between the two companies cannot be all that similar.

kcullimo

  • Jr. Member
  • **
  • Posts: 91
  • Karma: +0/-0
    • View Profile
Re: Migrate Checkpoint To Juniper ISG 1000
« Reply #2 on: August 27, 2009, 10:23:30 pm »
You'll find that the degree of automation introduced to the migration process will vary widely depending upon whom you hire to perform the work. You should probably treat claims that completely automatic conversion tools are %100 successful by maintaining a healthy degree of skepticism. The separation/incommensurability referred to within the first reply leads to such software almost always being bundled with professional services and rarely, if ever, offered for sale as a standalone product. Design decisions/judgment calls are required far too frequently to trust the outcome to software (although the degree to which manual intervention is required shrinks daily).

(do note that, on some level, the paradigmatic nature of the difference between various manufacturers remains somewhat tempered by the fundamental goals & design of the communications protocols their products are supposed to be designed around.)

Redesigning your entire infrastructure is not always necessary, but the more flexibility you bring to the cutover process, the better your results tend to be.

A relatively safe generalization concerning conversion tools might run something like: "writing your own firewall migration automation tools provides insight into conversion issues difficult to otherwise come by/stumble upon."

Gareth

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Re: Migrate Checkpoint To Juniper ISG 1000
« Reply #3 on: August 28, 2009, 04:43:13 am »
Check Point creates lots of "Check Point specific" rules in its rule base, there are a ton of implied rules that it created by default. there are also the specific ports it talks to its managemnet server etc on that would be obsolite after the migration. I'd suggest not trying to automate the migration

This type of migration work is a good time to santiy check your rule base. It will be a lot more work but probably well woth it in the end


kcullimo

  • Jr. Member
  • **
  • Posts: 91
  • Karma: +0/-0
    • View Profile
Re: Migrate Checkpoint To Juniper ISG 1000
« Reply #4 on: August 28, 2009, 08:58:21 am »
There's plenty of merit associated with encouraging thoroughness & sanity checks, but removing the checkpoint-specific automation rules lends itself to automation more readily than other portions of the policy configuration.