I'm in the process on migrate an existing firewall to the MFE. From reading some discussions here in the community I understood that CLI is the best and fastest way to do it. Here is where I need your help:
-* what are the CLI commands to write a Rule policy and NAT translation? (I have a lot of both entries from the existing firewall)
-* how to import the txt files and apply them at once?
Your experience and best practices are welcome!
You'll want to use the cf command. You can read my blog post on the cf command here. You'll need to read the man pages of all the cf commands you want to use also. What I would do is use cf to create the network objects and then use the GUI to create the rules. Search this community for 'cf -f' for previous posts about this and search the KB for the CLI guide to learn more commands.
I don't have a specific answer to your question, but I would like to recommend this article that has interesting tips for firewall migrations:
I hope it helps!
This is the question that everyone has when they first move to the MFE.
The process for me was to install the firewalls side by side.
Then basically start some basic rule creation on your vanilla firewall. Grab a laptop and set the MFE as your default gateway. Start creating a few basic rules to get used to the process, experiment with the smart filter and basic ips functions. Break out the Admin guide for when you have some issue or new functionality that you don't understand. Once you have all this down then create your production rules and make sure that they work the way you want them to work. Plug MFE into the networks that you want it to take over access to and then pick a machine or clone of an existing machine in a network like "DMZ" test your external access etc etc. And then once you figure you have it all working, start looking at the firewall auditing trail because more than likely, as in the case with SQL it faked you out and didnt tell you that it wants msdtc and other random ports. Once you have spent time verifiying your auditing is looking the way you want then it's time to switch over. Turn off the production FW and swtich the interface address of MFE to the production IP of your old FW and look at the audits and if you think you have it go home and dream about the audits and then sit and have a cup of coffee the next morning with..... yes you guessed it the audits. Marvel at the blocked and potential network probes but don't make the mistake of turning on the ips to blackhole these things. Write a new custom filter to audit network probes "And" Srczone = external <--- blackhole that bad boy otherwise like me I blackholed pretty much the entire network for about 2 mins.
I don't know if you the client is really the faster way at first. Once you have your head around the way that MFE does things then you may want to start consolidating your ruleset afterwards. Also remember that in some case the nat setting may cause conflicts when dealing with http rules, so it is best sometimes to stick with one interface or just local host for the majority of rules involving nat. I am sure that mtuma can explain this better.