2 Replies Latest reply: Dec 5, 2012 10:50 AM by mtuma RSS

    firewall enterprise control centre - cli import policy help?



      I've recently been given the task of migrating all the rules from a juniper fw to our s5032 running fw enterprise 8.2.1

      I was wondering if there was an easier way to migrate rules apart from entering them 1 by 1 through the control centre gui? I've succesfully imported all network objects from the juniper but adding all these rules is going to take months (5+ years worth of rules ).


      From what i have been told, I should not be creating these rules from the CLI on the FW directly because all changes would get over written by the control centre appliance.

      is this true? How do others make bulk rules with out having to depend on the gui?


      Thank you

        • 1. Re: firewall enterprise control centre - cli import policy help?

          I'm not that familiar with Control Centre, but based on the job it is designed to do, there is a distinct chance that you may find that when applying policy changes directly to a Firewall appliance it may then be overwritten by a subsequent config change in Control Center.


          If you've not done so already, it may be worth raising a service request with support to see if they have a policy configuration tool which they can make available will take your Juniper policy and migrate it to something which can then be imported into MFE. Historically I have been aware of a tool which will convert Checkpoint configurations, and possibly even Cisco Pix/ASA, but I don't recall hearing about a Juniper one.


          Again, like Control Center, I'm not that sure. In the past I have taken a deep breath and done it all manually.

          • 2. Re: firewall enterprise control centre - cli import policy help?



            Phil is correct, we have some tools to migrate policies from other firewall brands, but unfortunately Support does not have those tools. It would make sense to contact sales/professional services for this.


            You are correct in that the CC will overwrite any changes you make on the firewall. If you really want to though, you could create all rules on the CLI of the firewall, and then retrieve the rules through the CC. That way the CC and FW policy would match.