cancel
Showing results for 
Search instead for 
Did you mean: 

CheckPoint to MFE 8.3.x rules without conversion tool

Jump to solution

Hi,

Now I'am on customer site durig implementation new MFE 8.3.1 cluster.

Customer already have CheckPoint firewall.

My firewall (MFE) is located near to oryginal firewall, and we don't replace firewalls, but step-by-step migrate services (and users) from CheckPoint to MFE.

I know, that is Conversion Tool to convert CheckPoint or PIX rules to MFE rules.

I don't want to use it, because CheckPoint have lot of old policy, that we don't want to migrate.

We've decide to migrate step-by-step.

As you know, CheckPoint have different rules engine that MFE.

In CheckPoint we don't have such thing like ZONES.

Question:

How I can make MFE rules, that on CheckPoint was:

- Source ANY

- DEST (some_IP_in_the_internet)

- Service (HTTP, HTTPS)

- NAT (on MFE external IP)

What about zones?

What should I put in ZONE field?  <ANY> Zone?

What about Anti-spoofing in this example.

Please clarify it to me, because I have to some rules to migrate quite quickly.

Best regards

Krzysztof

1 Solution

Accepted Solutions
mtuma
Level 13
Report Inappropriate Content
Message 2 of 6

Re: CheckPoint to MFE 8.3.x rules without conversion tool

Jump to solution

Hello,

For your example, you can certainly put Source Zone <Any> if you like. What I probably will recommend is to lock the Source Zone down to any internal zone that clients will be located on.

Anti-spoofing will still work because the firewall will verify that the traffic is coming in on the correct zone, and if it is not, then it will deny the traffic (checks the source ip address to verify that it belongs in the correct source zone).

Regards,

Matt

5 Replies
mtuma
Level 13
Report Inappropriate Content
Message 2 of 6

Re: CheckPoint to MFE 8.3.x rules without conversion tool

Jump to solution

Hello,

For your example, you can certainly put Source Zone <Any> if you like. What I probably will recommend is to lock the Source Zone down to any internal zone that clients will be located on.

Anti-spoofing will still work because the firewall will verify that the traffic is coming in on the correct zone, and if it is not, then it will deny the traffic (checks the source ip address to verify that it belongs in the correct source zone).

Regards,

Matt

Re: CheckPoint to MFE 8.3.x rules without conversion tool

Jump to solution

Thank you mtuma,

As I understood, even if I put <ANY> zone as source or destination zone, MFE will be know IP's behing interfaces and anti-spoofing will still work. Right?

What about NAT translation in this situation?

KA

mtuma
Level 13
Report Inappropriate Content
Message 4 of 6

Re: CheckPoint to MFE 8.3.x rules without conversion tool

Jump to solution

Hello,

Yes the antispoofing will still occur regardless of how the rule is setup. If you use the NAT Host:Localhost object, the firewall will automatically NAT to the interface that the traffic is leaving on, so if the destination is on the External Zone, the traffic will be NAT'ted to the external interface.

-Matt

Re: CheckPoint to MFE 8.3.x rules without conversion tool

Jump to solution

Ok. Thank you for clarify this

KA

mtuma
Level 13
Report Inappropriate Content
Message 6 of 6

Re: CheckPoint to MFE 8.3.x rules without conversion tool

Jump to solution

No problem!